In case you haven’t been acquainted yet, let me introduce you to your wp-config.php file. If you run a self-hosted WordPress.org blog, your wp-config.php contains your MySQL database username, your MySQL database password, your WordPress authentication keys and other sensitive information. With this information, a hacker or script kiddie gets access to every piece of content on your WordPress blog, giving them free rein to delete your posts, insert malicious code, backlink to illegal porn sites, or whatever else they want.
By default, wp-config.php sits in the same folder as your WordPress blog. So, if the homepage of your blog is at mysite.com/blog, so is your wp-config.php. That’s not as reckless as it seems since .php files are server-side scripts that are processed by the server. When you are looking at a .php file, you are actually looking at the output of the file. The same goes for when you view the source. The only way to download the raw code of a .php file is via FTP.
But, just because you can’t normally access a .php file doesn’t mean you are always safe…
Accidents happen, and vulnerabilities exist. If your web server’s PHP configuration breaks down, your MIME types aren’t set up correctly, or your web server is otherwise misconfigured, your web page could end up serving plain text instead of processed PHP output; that is just a few examples. And, just like being depantsed during a pep rally in the high school auditorium, it only takes a split-second and before you can get your knickers back on they’ve seen everything. Yeah, they’ve seen it all.
In this groovyPost, I’ll show you how to keep your wp-config.php with your MySQL database usernames and passwords safe(r). While no website or blog is 100% un-hackable, this quick tip will make hacking your WordPress blog more difficult for would-be intruders than a site that hasn’t taken these precautions. Usually just being more secure than your neighbor is enough to deter a would-be hacker’s efforts to a site other than your own. Remember, if you are ever in the woods with a group of people and a bear shows up -you don’t have to run faster than the bear, just faster than the other people. (and all joking aside, Bear mace is your best bet if you are ever really in that situation)
Moving Your wp-config.php File
With the correct file permissions and a correctly configured web server, keeping your wp-config.php file in the same public folder as the rest of your blog should be perfectly fine. But, when it comes to protecting your website, security is an onion (or Ogre apparently); the more layers, the more of it you got.
The WordPress Codex affirms this sentiment and recommends that you move your wp-config.php away from its default install location. WordPress.org self-hosted blogs allow you to move your wp-config.php up one level from your blog’s root. That’s all well and good, but for most web servers, one level up from your blog root is still a public_html folder. You’re best off putting it in a folder that’s not a subdirectory of your public_html or WWW folder. That way, the chances of someone reaching it via a web browser or any other HTTP application is virtually nil.
Here’s what you do:
Step 1
Access your WordPress.org site via an FTP program and navigate to the root.
Step 2
Download wp-config.php to your hard drive.
Step 3
Rename it to something other than wp-config.php.
Make it something nonsensical, so someone who stumbles upon it (perhaps someone who has hacked into your shared server via SSH) might not recognize it for what it is. So, instead of calling it “off-site-wordpress-config.php” call it “futurama-fan-fic.php.”
Step 4
Upload your renamed wp-config.php file to a folder above your public_html or www folder. Personally, I created an entire directory for off-site config files. But it’s probably safer to put them somewhere more random.
The most important thing is to put it outside of your www or public_html folder.
Step 5
Open up notepad or your other favorite PHP editor.
Create a new wp-config.php file that contains only the following code:
<?php
include(‘/home/usr/hobbies/futurama-fan-fic.php’);
?>
Replace the directory here with the server location of your renamed wp-config.php file. Note that this isn’t a URL, it’s a path relative to your server location. So, making it:
include(‘www.yourdomain.com/location/futurama-fan-fic.php’);
will NOT work.
As you’ve probably gathered, what this will do is essentially create a “shortcut” to your actual wp-config.php file. So, if someone does hack your wp-config.php file in your WordPress directory, all they’ll find is a file pointing to another file.
For fun, you may want to add a comment that reads:
// Thank you Mario! But our princess is in another castle!
Step 6
Upload your new wp-config.php file to your WordPress root. Overwrite the old one (you backed it up first, right?).
Step 7
That’s it! Navigate to your WordPress.org blog root to ensure that it worked.
If you get an error that reads:
Warning: include(/www.yourdomain.com/location/futurama-fan-fic.php’) [function.include]: failed to open stream: No such file or directory in/home/usr/public_html/blog.com/wp-config.php on line 2
Fatal error: Call to undefined function wp() in /wp-blog-header.php on line 14
Then it means that you typed in the server location wrong in your modified wp-config.php file. If you’re having trouble determining the absolute path of your blog, create a .php file with the following code in it:
<?php echo $_SERVER['DOCUMENT_ROOT']; ?>
This will show you the absolute path for whatever directory the file is in and will also illuminate how to move above the public_html folder.
If you get an error message that reads:
There doesn’t seem to be a
wp-config.phpfile. I need this before we can get started. Need more help? We got it. You can create awp-config.phpfile through a web interface, but this doesn’t work for all server setups. The safest way is to manually create the file.
Then it means that there’s no wp-config.php file in your WordPress.org root. Double-check that you uploaded the modified wp-config.php to your WordPress.org root or the folder just above it and the renamed wp-config.php file to another location, rather than vice-versa.
Conclusion
Will moving your wp-config.php make your blog bulletproof? Certainly not. But it’s just one of the steps you can take towards making your website or blog more secure. And for me, it helps me sleep better at night—just like putting an extra chain or deadbolt on the door.
Note: Before you go mucking around your file structure, make sure you back things up and feel comfortable with what you’re doing. You could seriously mess up your WordPress blog if you delete the wrong thing. You’ve been warned.
33 Comments
Leave a Reply
Leave a Reply
Dinesh @ DailyBlogMoney
Hi,
Its a good information, I heard that moving wp-config.php file to different location is one of the best way to protect wordpress blog. Now I came to know how to do that.
I have a small doubt, if some one managed to hack and see the wp-config.php where normally locate, then he can open the same PHP file and see the hidden location, correct?
Am I asking wrong question?
Thanks for the nice tutorials.
groovinJackman
You’re right, Dinesh — if someone had FTP access to your website, they probably could just navigate to where your hidden wp-config.php file is located.
But…
This security measure is mostly to protect you against misconfigured or compromised web servers throwing plain text instead of processed PHP. This has happened before. For example, VandelayDesign.com got hacked a few years ago because the site was displaying in plain text for some reason. A non-malicious hacker hijacked the site and left this messsage:
Hiho guys,
this blog was in text/plain yesterday. Also a friend and I took a look in the wp-config.php. There is all the DB data we need to login here.
So little change of the md5 hash and all was fine to login.
I do not know this site really, but it’s nice and I will not delete posts, comments or something else.
Admin, change your database password.
Cheers,
Mr. X
PS: Get down of PHP
So, in this case, wp-config.php became visible to users via their web browser. But by moving the wp-config.php outside of your public_html folder, you prevent anyone from seeing it via Firefox or Chrome or IE, regardless of whether it’s plain text or not.
Really, it’s sort of a long shot that this method would save your skin, but it could and has happened. Consider this scenario:
A hacker or group of hackers wants to get access to someone’s website or database. So, they find out a way to crash PHP on the entire server. This is like knocking out the deflector shield generators on the Death Star. Once PHP is down, EVERYONE’s .php files on the web server turn into plain text. From there, the hackers can go in and pick out any passwords or other data they want, right from their web browsers–UNLESS its not in a public_html or WWW folder.
If you are on a shared server, it only takes one persons’s poorly validated user data form or GET method to allow someone to inject something malicious that COULD bring down PHP.
Again, a long shot–I’m sure very few of you are waging open warfare with Internet terrorists…but again, it’s all about layers…
Dinesh @ DailyBlogMoney
Thats a great explanation.
Now I got it how mush this is helpful by moving wp-config outside public_html folder.
Thanks.
wls
hello!
Thats idead!! But when i update wordpress. core can block my website?
Vadim
Also… Doing things like changing the PREFIX in database tables from Default or moving the location of files like wp-config.php out of the DEFAULT locations will protect your from Script kiddies using KNOWN attacks to script something and attack websites en-mass (metasploit etc..).
Will this protect you from a hacker who wants to break in and cause damage… No. Will this help protect you against scripts that ppl run against the internet, yes however, like Jack said. It’s all about layers. Add more layers to make the website next door easier to attack and hopefully they will leave your site alone. :)
Misty James
Great article. Now lets see if I can execute it successfully! Unfortunately, I have been the victim of a hack so I really appreciate your advice!
Misty James
Just thought of a question. Does making this change effect the automatic update feature in wordpress?
MrGroove
No. That is managed by PHP settings and Permissions set on the folder structure of your web host.
groovinJackman
Hi Misty – Sorry to hear about your hack attack. And I can confirm that auto-update works just fine…I just upgraded to 3.1 before leaving this comment and no problems
Misty James
Awesome! Thanks for checking that for me.
amxcld9
OK I just set this up on my account and then tried
http://www.mysite.com/wp-config.php in a browser and it through up an error message giving full details of the path to my “hidden” config file?
When I reverted back to standard nothing is returned.
I changed the config file to 640 permissions as suggested.
Didn’t work for .htaccess file as I could access the site with it at 640.
Any thoughts on this?
amxcld9
ps. Error msg is most probably due to HTTP access being refused to the other file.
Which by the way was on the same level as the normal config file.
ie:
include(‘../foldername/hiddenfile.php’);
If that makes any difference?
Thanks,
Josh
groovinJackman
hmm, well thats funny actually that happens to me, too. But its not really an issue, since they shouldn’t be able to plug in that location and view your config file, since you put it in a non-WWW directory, right?
What you COULD do is add a .htaccess file protection to your wp-config.php file.
Just add this bit to your .htaccess file (careful doing this–could mess things up):
AuthType Basic
AuthName “Protected Access”
AuthUserFile /home/users/.htpasswd
Require valid-user
And then create a .htpasswd file and place it in the directory that you indicated on line AuthUserFile
Just remember: you HAVE TO encrypt your passwords for .htpasswd.
Use this tool to help you:
http://www.4webhelp.net/us/password.php
MrGroove
You could also just block everyone from accessing the wp-config file via browser. I’m having issues posting the code here…. so I dumped the code into the forum here at groovyPost. Here’s a link:
https://www.groovypost.com/forum/linux/how-to-block-access-to-wp-config-php-or-htaccess-file-t96820.html
Have fun!
amxcld9
Thanks!
Paul Sulwer
Thanks for the info, it works great!
If you’re getting the errors mentioned under step 7 even though you have everything set up correctly (and you copied and pasted the syntax for the php include), just make sure you replace ‘smart quotes’ with ‘regular quotes’
Tim
Will this change still work if site is hosted on a windows server?
Trent Jessee
Great tutorial and very well written. I appreciate people like you who can make techy stuff like this super simple to understand. Thank you!
MrGroove
You bet Trent! Thanks for the comment.
Steve
Hi, good tutorial!
My WP install sits at my web root (public_html) and I’ve already moved the wp-config file up one level, so it’s outside of public_html.
In light of that, would there be any benefit in me bringing it back to the web root and using your ‘include’ technique instead?
Is one method more secure than the other?
Are they both ok with regard to future one-click updating of WordPress?
MilmIrriniTync
anal blow free job oral sex sex
free young girls anal sex video
wife has anal sex
anal banana enema
big booty ass anal
anal sex and pramoxine
first time anal threesome
astroglide anal shooters
sydney moon anal control
medical anal diseases
interracial gang bang anal
convencer novia sexo anal
anal and pussy pictures
free nude naked gallery anal
free hard anal porn videos
TeawayDet
Summerinaskinalk
Tushar
Recently my wp-config.php file is edited by hacker and they insert some code in it which resulted in my site is being redirected to other site. I fixed it now but how can i avoid it in future? help me.
wantei
I mainly use the WP Security Plugin to buff up the protection of my blog. I’m happy to say it works pretty well!
Ian Dunn
I think all of the conventional wisdom about moving wp-config is wrong. In most setups you have to expand openbase_dir, which can expose logs, backups and other sensitive information to hackers. Instead, you should use Apache directives to block access to wp-config. More details are at http://wordpress.stackexchange.com/questions/58391/is-moving-wp-config-outside-the-web-root-really-benefitial.
Abhishek
In the most recent version of wordpress, you just move the file. WordPress will automatically understand that :)
webpage
I truly love your site.. Pleasant colors & theme.
Did you make this web site yourself? Please reply back as I’m planning to create my very
own blog and would like to learn where you got this from or just what the
theme is called. Thanks!
Tony
Hi
I followed your instructions and website is working fine, however, when I navigate to mydomain.com/wp-config.php I now get the following error:
Warning: require_once(/home4/myaccount/wp-configs/wp-settings.php): failed to open stream: No such file or directory in /home4/myaccount/wp-configs/wp-config-secure.php on line 76
Fatal error: require_once(): Failed opening required ‘/home4/myaccount/wp-configs/wp-settings.php’ (include_path=’.:/opt/php54/lib/php’) in /home4/myaccount/wp-configs/wp-config-secure.php on line 76
Line 76 of my real config file is:
require_once(ABSPATH . ‘wp-settings.php’);
How can I fix this? Also, WP_debug is set to false so should I even get an error message?
Thanks
Steve Krause
When you moved your website, the home folder is probably different from the original website you hosted it at. You will need to edit your wp-config.php and edit the home directory location (/home4/myaccount/wp-configs/ to the proper location of your home folder. If you need help, you should be able to just ask your new hosting support team.
If they won’t help, just let me know and I can assist as well. Just let us know.
Tony
Hi Steve, thanks for the quick reply.
To further clarify, I’m not moving the site to a different host, just moving wp-config for security purposes as per the original article.
Referencing the article i’ve placed my real wp-config content in a new “secret” folder called wp-configs above public_html, and named the file wp-config-secure.php.
I then deleted the content of my original wp-config.php and added the include to it referencing the new folder location (as per the article instructions).
As I said the website works fine except for the error messages when browsing to mydomain.com/wp-config.php.
I notice that the warning and error messages both reference the wp-settings.php file and are looking in my new secret folder yet the original article makes no mention of moving this file into this folder.
The article was written 3 years ago, maybe something has changed within wordpress in that time to do with the absolute path that now needs to be changed in addition?
Any help you can give would be really appreciated.
Thanks
Samul
This gives me white screen of death on admin pages, not sure why. I use this to include the file: include(“../../my-fast-cars/fast-cars.php”);
Tobias
WordPress allows you to simply move the wp-config.php one folder up. This moves it out of the public web space if your install is in the root folder.
Sam
Should permissions for the new file be 600?
Thanks