H3XED

Secure Your WordPress Config File (wp-config.php) by Moving it Above the Document Root

Oct 26, 2017   Web Development   Nick Vogt   Comments
WordPress by default runs entirely inside the public document root. This is unfortunate for security reasons, but is required in order to preserve backwards compatibility. There is one exception to this, and that is the config file (wp-config.php). WordPress automatically looks for the wp-config.php file one folder above the document root, if it doesn't find it in the document root.

What is the Document Root?
Please read this post on the document root to get a better understanding of the folder layout and directory hierarchy of a website.

Why Move It?
The wp-config.php file contains sensitive information like your database login information. Normally, if someone accesses it directly (www.mywebsite.com/wp-config.php) they would see a blank page. This is because the PHP variables and constants defined inside are not outputted. However, if there was a server malfunction or misconfiguration, it could potentially serve the file as plain text.

A server fault that would cause wp-config.php to be served as plain text is very unlikely, but given the high impact of such an event, it is absolutely worth moving your wp-config.php file up one directory and outside of the document root.

How to Move It
You'll need access to the file system of your website. Either through FTP, SSH, or your web host's file manager. Every host will be a little different. Unfortunately, some lower-end shared hosts may not give you access to the file system above the document root. I recommend contacting your web host and asking them if they can move the file for you, or tell you how.
Share This Post
Facebook Twitter

Comments (0)

Share This Post
Facebook Twitter
H3XED © Nick Vogt   RSS   Policies   Facebook   Twitter   Google+