Harden WordPress Security By Moving wp-config.php to a Non-public Folder

In case you haven’t been acquainted yet, let me introduce you to your wp-config.php file. If you run a self-hosted blog, your wp-config.php contains your MySQL database username, your MySQL database password, your WordPress authentication keys and other sensitive information. With this information, a hacker or script kiddie gets access to every piece of content on your WordPress blog, giving them free rein to delete your posts, insert malicious code, backlink to illegal porn sites, or whatever else they want.

By default, wp-config.php sits in the same folder as your WordPress blog. So, if the homepage of your blog is at, so is your wp-config.php. That’s not as reckless as it seems since .php files are server-side scripts that are processed by the server. When you are looking at a .php file, you are actually looking at the output of the file. The same goes for when you view the source. The only way to download the raw code of a .php file is via FTP.

But, just because you can’t normally access a .php file doesn’t mean you are always safe…

Accidents happen, and vulnerabilities exist.  If your web server’s PHP configuration breaks down, your MIME types aren’t set up correctly, or your web server is otherwise misconfigured, your web page could end up serving plain text instead of processed PHP output; that is just a few examples.  And, just like being depantsed during a pep rally in the high school auditorium, it only takes a split-second and before you can get your knickers back on they’ve seen everything.  Yeah, they’ve seen it all.

In this groovyPost, I’ll show you how to keep your wp-config.php with your MySQL database usernames and passwords safe(r). While no website or blog is 100% un-hackable, this quick tip will make hacking your WordPress blog more difficult for would-be intruders than a site that hasn’t taken these precautions. Usually just being more secure than your neighbor is enough to deter a would-be hacker’s efforts to a site other than your own.  Remember, if you are ever in the woods with a group of people and a bear shows up -you don’t have to run faster than the bear, just faster than the other people.  (and all joking aside, Bear mace is your best bet if you are ever really in that situation)

Moving Your wp-config.php File

With the correct file permissions and a correctly configured web server, keeping your wp-config.php file in the same public folder as the rest of your blog should be perfectly fine. But, when it comes to protecting your website, security is an onion (or Ogre apparently); the more layers, the more of it you got.

The WordPress Codex affirms this sentiment and recommends that you move your wp-config.php away from its default install location. self-hosted blogs allow you to move your wp-config.php up one level from your blog’s root. That’s all well and good, but for most web servers, one level up from your blog root is still a public_html folder. You’re best off putting it in a folder that’s not a subdirectory of your public_html or WWW folder. That way, the chances of someone reaching it via a web browser or any other HTTP application is virtually nil.

Here’s what you do:

Step 1

Access your site via an FTP program and navigate to the root.

Step 2

Download wp-config.php to your hard drive.

wordpress security

Step 3

Rename it to something other than wp-config.php.

securing wp-config.php

Make it something nonsensical, so someone who stumbles upon it (perhaps someone who has hacked into your shared server via SSH) might not recognize it for what it is. So, instead of calling it “off-site-wordpress-config.php” call it “futurama-fan-fic.php.”

Step 4

Upload your renamed wp-config.php file to a folder above your public_html or www folder. Personally, I created an entire directory for off-site config files. But it’s probably safer to put them somewhere more random.

The most important thing is to put it outside of your www or public_html folder.

putting wp-config.php outside of www

Step 5

Open up notepad or your other favorite PHP editor.

Hiding your wp-config.php

Create a new wp-config.php file that contains only the following code:


Replace the directory here with the server location of your renamed wp-config.php file. Note that this isn’t a URL, it’s a path relative to your server location. So, making it:


will NOT work.

As you’ve probably gathered, what this will do is essentially create a “shortcut” to your actual wp-config.php file. So, if someone does hack your wp-config.php file in your WordPress directory, all they’ll find is a file pointing to another file.

For fun, you may want to add a comment that reads:

// Thank you Mario! But our princess is in another castle!

Step 6

Upload your new wp-config.php file to your WordPress root. Overwrite the old one (you backed it up first, right?). Security- Moving Wp-Config.php

Step 7

That’s it! Navigate to your blog root to ensure that it worked.

If you get an error that reads:

Warning: include(/’) [function.include]: failed to open stream: No such file or directory in/home/usr/public_html/ on line 2

Fatal error: Call to undefined function wp() in /wp-blog-header.php on line 14

Then it means that you typed in the server location wrong in your modified wp-config.php file. If you’re having trouble determining the absolute path of your blog, create a .php file with the following code in it:

<?php echo $_SERVER['DOCUMENT_ROOT']; ?>

This will show you the absolute path for whatever directory the file is in and will also illuminate how to move above the public_html folder.

If you get an error message that reads:

There doesn’t seem to be a wp-config.php file. I need this before we can get started. Need more help? We got it. You can create a wp-config.php file through a web interface, but this doesn’t work for all server setups. The safest way is to manually create the file.

Then it means that there’s no wp-config.php file in your root. Double-check that you uploaded the modified wp-config.php to your root or the folder just above it and the renamed wp-config.php file to another location, rather than vice-versa.

There doesn't seem to be a wp-config.php file. I need this before we can get started. Need more help? We got it. You can create a wp-config.php file through a web interface, but this doesn't work for all server setups. The safest way is to manually create the file.


Will moving your wp-config.php make your blog bulletproof? Certainly not. But it’s just one of the steps you can take towards making your website or blog more secure. And for me, it helps me sleep better at night—just like putting an extra chain or deadbolt on the door.

Note: Before you go mucking around your file structure, make sure you back things up and feel comfortable with what you’re doing. You could seriously mess up your WordPress blog if you delete the wrong thing. You’ve been warned.



  1. Dinesh @ DailyBlogMoney

    Its a good information, I heard that moving wp-config.php file to different location is one of the best way to protect wordpress blog. Now I came to know how to do that.

    I have a small doubt, if some one managed to hack and see the wp-config.php where normally locate, then he can open the same PHP file and see the hidden location, correct?

    Am I asking wrong question?
    Thanks for the nice tutorials.

    • groovinJackman

      You’re right, Dinesh — if someone had FTP access to your website, they probably could just navigate to where your hidden wp-config.php file is located.


      This security measure is mostly to protect you against misconfigured or compromised web servers throwing plain text instead of processed PHP. This has happened before. For example, got hacked a few years ago because the site was displaying in plain text for some reason. A non-malicious hacker hijacked the site and left this messsage:

      Hiho guys,

      this blog was in text/plain yesterday. Also a friend and I took a look in the wp-config.php. There is all the DB data we need to login here.

      So little change of the md5 hash and all was fine to login.
      I do not know this site really, but it’s nice and I will not delete posts, comments or something else.

      Admin, change your database password.

      Mr. X

      PS: Get down of PHP

      So, in this case, wp-config.php became visible to users via their web browser. But by moving the wp-config.php outside of your public_html folder, you prevent anyone from seeing it via Firefox or Chrome or IE, regardless of whether it’s plain text or not.

      Really, it’s sort of a long shot that this method would save your skin, but it could and has happened. Consider this scenario:

      A hacker or group of hackers wants to get access to someone’s website or database. So, they find out a way to crash PHP on the entire server. This is like knocking out the deflector shield generators on the Death Star. Once PHP is down, EVERYONE’s .php files on the web server turn into plain text. From there, the hackers can go in and pick out any passwords or other data they want, right from their web browsers–UNLESS its not in a public_html or WWW folder.

      If you are on a shared server, it only takes one persons’s poorly validated user data form or GET method to allow someone to inject something malicious that COULD bring down PHP.

      Again, a long shot–I’m sure very few of you are waging open warfare with Internet terrorists…but again, it’s all about layers…

      • Dinesh @ DailyBlogMoney

        Thats a great explanation.
        Now I got it how mush this is helpful by moving wp-config outside public_html folder.

        • wls

          Thats idead!! But when i update wordpress. core can block my website?

    • Vadim

      Also… Doing things like changing the PREFIX in database tables from Default or moving the location of files like wp-config.php out of the DEFAULT locations will protect your from Script kiddies using KNOWN attacks to script something and attack websites en-mass (metasploit etc..).

      Will this protect you from a hacker who wants to break in and cause damage… No. Will this help protect you against scripts that ppl run against the internet, yes however, like Jack said. It’s all about layers. Add more layers to make the website next door easier to attack and hopefully they will leave your site alone. :)

  2. Misty James

    Great article. Now lets see if I can execute it successfully! Unfortunately, I have been the victim of a hack so I really appreciate your advice!

  3. Misty James

    Just thought of a question. Does making this change effect the automatic update feature in wordpress?

    • MrGroove

      No. That is managed by PHP settings and Permissions set on the folder structure of your web host.

    • groovinJackman

      Hi Misty – Sorry to hear about your hack attack. And I can confirm that auto-update works just fine…I just upgraded to 3.1 before leaving this comment and no problems

      • Misty James

        Awesome! Thanks for checking that for me.

  4. amxcld9

    OK I just set this up on my account and then tried in a browser and it through up an error message giving full details of the path to my “hidden” config file?

    When I reverted back to standard nothing is returned.

    I changed the config file to 640 permissions as suggested.
    Didn’t work for .htaccess file as I could access the site with it at 640.

    Any thoughts on this?

  5. amxcld9

    ps. Error msg is most probably due to HTTP access being refused to the other file.
    Which by the way was on the same level as the normal config file.

    If that makes any difference?


    • groovinJackman

      hmm, well thats funny actually that happens to me, too. But its not really an issue, since they shouldn’t be able to plug in that location and view your config file, since you put it in a non-WWW directory, right?

      What you COULD do is add a .htaccess file protection to your wp-config.php file.

      Just add this bit to your .htaccess file (careful doing this–could mess things up):

      AuthType Basic
      AuthName “Protected Access”
      AuthUserFile /home/users/.htpasswd
      Require valid-user

      And then create a .htpasswd file and place it in the directory that you indicated on line AuthUserFile

      Just remember: you HAVE TO encrypt your passwords for .htpasswd.

      Use this tool to help you:

  6. amxcld9


  7. Paul Sulwer

    Thanks for the info, it works great!
    If you’re getting the errors mentioned under step 7 even though you have everything set up correctly (and you copied and pasted the syntax for the php include), just make sure you replace ‘smart quotes’ with ‘regular quotes’

  8. Tim

    Will this change still work if site is hosted on a windows server?

  9. Trent Jessee

    Great tutorial and very well written. I appreciate people like you who can make techy stuff like this super simple to understand. Thank you!

    • MrGroove

      You bet Trent! Thanks for the comment.

  10. Steve

    Hi, good tutorial!

    My WP install sits at my web root (public_html) and I’ve already moved the wp-config file up one level, so it’s outside of public_html.

    In light of that, would there be any benefit in me bringing it back to the web root and using your ‘include’ technique instead?

    Is one method more secure than the other?
    Are they both ok with regard to future one-click updating of WordPress?

  11. MilmIrriniTync

    anal blow free job oral sex sex
    free young girls anal sex video
    wife has anal sex
    anal banana enema
    big booty ass anal
    anal sex and pramoxine
    first time anal threesome
    astroglide anal shooters
    sydney moon anal control
    medical anal diseases
    interracial gang bang anal
    convencer novia sexo anal
    anal and pussy pictures
    free nude naked gallery anal
    free hard anal porn videos

  12. TeawayDet


  13. Tushar

    Recently my wp-config.php file is edited by hacker and they insert some code in it which resulted in my site is being redirected to other site. I fixed it now but how can i avoid it in future? help me.

  14. wantei

    I mainly use the WP Security Plugin to buff up the protection of my blog. I’m happy to say it works pretty well!

  15. Ian Dunn

    I think all of the conventional wisdom about moving wp-config is wrong. In most setups you have to expand openbase_dir, which can expose logs, backups and other sensitive information to hackers. Instead, you should use Apache directives to block access to wp-config. More details are at

  16. Abhishek

    In the most recent version of wordpress, you just move the file. WordPress will automatically understand that :)

  17. webpage

    I truly love your site.. Pleasant colors & theme.
    Did you make this web site yourself? Please reply back as I’m planning to create my very
    own blog and would like to learn where you got this from or just what the
    theme is called. Thanks!

  18. Tony

    I followed your instructions and website is working fine, however, when I navigate to I now get the following error:

    Warning: require_once(/home4/myaccount/wp-configs/wp-settings.php): failed to open stream: No such file or directory in /home4/myaccount/wp-configs/wp-config-secure.php on line 76

    Fatal error: require_once(): Failed opening required ‘/home4/myaccount/wp-configs/wp-settings.php’ (include_path=’.:/opt/php54/lib/php’) in /home4/myaccount/wp-configs/wp-config-secure.php on line 76

    Line 76 of my real config file is:
    require_once(ABSPATH . ‘wp-settings.php’);

    How can I fix this? Also, WP_debug is set to false so should I even get an error message?


    • Steve Krause

      When you moved your website, the home folder is probably different from the original website you hosted it at. You will need to edit your wp-config.php and edit the home directory location (/home4/myaccount/wp-configs/ to the proper location of your home folder. If you need help, you should be able to just ask your new hosting support team.

      If they won’t help, just let me know and I can assist as well. Just let us know.

      • Tony

        Hi Steve, thanks for the quick reply.
        To further clarify, I’m not moving the site to a different host, just moving wp-config for security purposes as per the original article.
        Referencing the article i’ve placed my real wp-config content in a new “secret” folder called wp-configs above public_html, and named the file wp-config-secure.php.

        I then deleted the content of my original wp-config.php and added the include to it referencing the new folder location (as per the article instructions).

        As I said the website works fine except for the error messages when browsing to

        I notice that the warning and error messages both reference the wp-settings.php file and are looking in my new secret folder yet the original article makes no mention of moving this file into this folder.
        The article was written 3 years ago, maybe something has changed within wordpress in that time to do with the absolute path that now needs to be changed in addition?

        Any help you can give would be really appreciated.

  19. Samul

    This gives me white screen of death on admin pages, not sure why. I use this to include the file: include(“../../my-fast-cars/fast-cars.php”);

  20. Tobias

    WordPress allows you to simply move the wp-config.php one folder up. This moves it out of the public web space if your install is in the root folder.

  21. Sam

    Should permissions for the new file be 600?


Leave a Reply

Your email address will not be published. Required fields are marked *


To Top