Dismiss Notice
You are browsing this site as a guest. It takes 2 minutes to CREATE AN ACCOUNT and less than 1 minute to LOGIN

How to secure your WordPress wp-config.php File

Discussion in 'Tech, Gadgets & Science Forum' started by Michael Amon, Oct 31, 2012.

  1. Michael Amon

    Michael Amon Verified User

    #1
    Oct 31, 2012
    Joined: Dec 22, 2008
    Messages: 8,471
    Likes Received: 387
    Trophy Points: 180
    The wp-config.php file is the most important file to protect on your site. It contains your username, password, and database name (among other things) for your WordPress install and by default, is accessible from any web browser.

    Try it. Enter http://www.yourwebsite.com/wp-config.php and you should see a blank white page (if you see plain text, you've got a bigger problem).


    Harmless, right? Sure, but imagine for a minute the shared server you're on somehow gets hacked and the php handler gets changed to txt–you're in trouble. It's not very likely but you can make one of the following changes to prevent this which adds another layer of protection and gives you peace of mind.


    There are two main ways to easily protect the wp-config.php file from prying eyes and hackers. Both methods require you to have sftp or server-level access. Also turn off any caching plugins you may be using before attempting this steps.

    Option 1 – Move wp-config.php up one directory

    [​IMG]
    This is the easiest way assuming you're comfortable moving files on your server. Essentially this works by taking wp-config.php and moving it outside of the public realm (typically one level above /public_html).

    The cool part is WordPress automatically knows to look up one directory if it can't find wp-config.php in the default location.

    Option 2 – Modify your .htaccess or .conf file

    This option is a little more advanced and requires that you're running Apache or Nginx. You'll need to edit your .htaccess file (Apache) or nginx.conf (Nginx) using a text editor. Be careful not to alter any other code in this file otherwise your site may break.

    For Apache, paste the following code into .htaccess at the top:

    Code:
    # Deny public access to wp-config.php
    <Files wp-config.php>
        Order allow,deny
        Deny from all
    </Files>
    

    For Nginx, paste in the following code into nginx.conf:

    Code:
    [COLOR=#666666][FONT=inherit][I]# Deny public access to wp-config.php
    [/I][/FONT][/COLOR]location ~[COLOR=#339933][FONT=inherit]*[/FONT][/COLOR] wp[COLOR=#339933][FONT=inherit]-[/FONT][/COLOR]config[COLOR=#339933][FONT=inherit].[/FONT][/COLOR]php [COLOR=#009900][FONT=inherit]{[/FONT][/COLOR] 
    deny all[COLOR=#339933][FONT=inherit];[/FONT][/COLOR] 
    [COLOR=#009900][FONT=inherit]}
    [/FONT][/COLOR]

    Save and sftp it back to the server (if needed). You'll need to restart Nginx but not Apache.

    To test if it works, try visiting http://www.yourwebsite.com/wp-config.php in your web browser again. Instead of a blank white screen, you should see an "Access Forbidden 403&#8243; error message.
     
  2. MziziMkavu

    MziziMkavu JF-Expert Member

    #2
    Oct 31, 2012
    Joined: Feb 3, 2009
    Messages: 38,529
    Likes Received: 2,800
    Trophy Points: 280
  3. Michael Amon

    Michael Amon Verified User

    #3
    Oct 31, 2012
    Joined: Dec 22, 2008
    Messages: 8,471
    Likes Received: 387
    Trophy Points: 180
    Shukrani mkuu...naona siku hizi umeamua kuwa sharobaro.
     
  4. MziziMkavu

    MziziMkavu JF-Expert Member

    #4
    Oct 31, 2012
    Joined: Feb 3, 2009
    Messages: 38,529
    Likes Received: 2,800
    Trophy Points: 280
    Mkuu Young Master Sipo sharubaru huku Ughaibuni wakati huu ni wakati wa baridi ndio tena tunajiandaa kuvaa maguo mazito na sweta nzito sio Usharobaro miaka 47 mim ni baba mwenye mtoto wa miaka25 bado nitakuwa sharubaro?nimegeuka Mzee majuto ? kila kitu na wakati wake hu ndio wakati wenu sisi tena wakati wtu umeshapitwa mkuu au nimekosea?
     
    Last edited by a moderator: Jan 4, 2016
  5. Michael Amon

    Michael Amon Verified User

    #5
    Oct 31, 2012
    Joined: Dec 22, 2008
    Messages: 8,471
    Likes Received: 387
    Trophy Points: 180
    Hujakosea mkuuwa wangu...ila hiyo avatar yako bado nusu nikusahau aisee.
     
  6. MziziMkavu

    MziziMkavu JF-Expert Member

    #6
    Oct 31, 2012
    Joined: Feb 3, 2009
    Messages: 38,529
    Likes Received: 2,800
    Trophy Points: 280
    mkuu Young Master Avatar yangu umeipenda?nimejikoki nikiwa nataka kutoka nje ya nyumba huwa

    ninavaa hivyo ili baridi isinipige masikioni au hata kichwani mkuu huku wakati wa baridi kunatisha baridi ya huku ni

    mbaya sana kali kushinda baridi ya Tanzania kule Njombe, iringa,Makambako ,Arusha ,mbeya na Nairobi hakuna

    baridi huko East Africa kuliko Baridi ya ulaya wakati wa baridi mimi huwa sikupendi ulaya natamani nirudi Africa

    mpaka wakati wa jua kutoka mwezi wa Tano mwakani ndio kuna nafuu ya joto lakini kuanzia huu mwezi wa 11

    haswa kuanzia tarehe 20 ni baridi mtindo mmoja mpaka mwisho wa mwezi wa tano mwakani ndio tena

    tunapumuwa mkuu kazi ipo tena ya nguvu kukabili hali ya hewa ya baridi.
     
  7. Michael Amon

    Michael Amon Verified User

    #7
    Oct 31, 2012
    Joined: Dec 22, 2008
    Messages: 8,471
    Likes Received: 387
    Trophy Points: 180
    Duh!!! Kwa kweli kazi mnayo mkuu...ila avatar yako nimeipenda...imetulia.
     
  8. MziziMkavu

    MziziMkavu JF-Expert Member

    #8
    Oct 31, 2012
    Joined: Feb 3, 2009
    Messages: 38,529
    Likes Received: 2,800
    Trophy Points: 280
    Asante sana mkuu Young Master Ubarikiwe Ameen.
     
    Last edited by a moderator: Jan 4, 2016
Loading...