Archive
This post is archived and may contain outdated information. It has been set to 'noindex' and should stop showing up in search results.
Secure Your WordPress Config File (wp-config.php) by Moving it Above the Document Root
Oct 26, 2017Web DevelopmentComments (2)
WordPress by default runs entirely inside the public document root. This is unfortunate for security reasons, but is required in order to preserve backwards compatibility. There is one exception to this, and that is the config file (wp-config.php). WordPress automatically looks for the wp-config.php file one folder above the document root, if it doesn't find it in the document root.

What is the Document Root?
Please read this post on the document root to get a better understanding of the folder layout and directory hierarchy of a website.

Why Move It?
The wp-config.php file contains sensitive information like your database login information. Normally, if someone accesses it directly (www.mywebsite.com/wp-config.php) they would see a blank page. This is because the PHP variables and constants defined inside are not outputted. However, if there was a server malfunction or misconfiguration, it could potentially serve the file as plain text.

A server fault that would cause wp-config.php to be served as plain text is very unlikely, but given the high impact of such an event, it is absolutely worth moving your wp-config.php file up one directory and outside of the document root.

How to Move It
You'll need access to the file system of your website. Either through FTP, SSH, or your web host's file manager. Every host will be a little different. Unfortunately, some lower-end shared hosts may not give you access to the file system above the document root. I recommend contacting your web host and asking them if they can move the file for you, or tell you how.
Comments (2)
Add a Comment


Please review the commenting policy prior to commenting.
Nick   Jan 12, 2019
If you have multiple sites that share the same parents directory then you won't be able to do that. You'd want to make sure each site is in a different directory, though not all hosts give that amount of control.
Sven Adam   Jan 12, 2019
Given you have more than one WP installation, each of 'em in its separate directory. If I move all those config files (and they need to keep their filenames, don't they), only one file will be left due to overwrite. Or there will be copies unreadable due to filename changes. How do you address that situation?