Moving wp-config.php outside web root – is there any benefit?

WordPress uses a file named wp-config.php to store some important configuration settings. This file contains among other things, your database username and password. So it is crucial for the security of your website that nobody will have access to the contents of that file.

The configuration file (wp-config.php) is by default located in the root directory but under normal circumstances it’s contents are not publicly accessible. If you try to access it via a browser you will notice that it doesn’t produce any output.

It’s a very common advice though to move wp-config.php one directory above the root directory for security reasons. If WordPress is installed in the public_html directory, this in most server set ups means that you will have to move it to the /home/username directory.

If nobody can read the contents of that file they why should we secure it?

That’s a good question. The only reason to protect your configuration file is for the rare case when your server’s PHP handler gets broken or hacked and it’s content becomes visible as plain text to the public. In that case anyone will have access to your database username and password simply by pointing their browser to http://yourwebsite.com/wp-config.php. It’s true that moving wp-config.php up one directory will protect you database information but the best option for a number of reasons…

Why moving wp-config is not a good idea

  1. The only way for someone to see the content of wp-config.php is by bypassing the server’s PHP interpreter. If that happens you are in trouble anyway. It means that your server is hacked and the attacker will be have complete control of your site. so wherever you move wp-config he will be able to find it.
  2. Most hosting companies use open_basedir protection which means that if a php script tries to open a file, the location of that file is checked and if it is outside the directory specified by open_basedir it won’t open. So if a hacker manages to inject a malicious php script on your site it will give him access only to this specific directory. Moving your configuration file above root directory means that you have to expand the open_basedir scope in order to let PHP access scripts outside the web root. So every php script will now have access to every directory outside the web root. There is a lot of sensitive information outside the web root such as logs and backups. Giving PHP access to that information is not a good idea.
  3. You can protect wp-config.php by using htaccess rules to deny HTTP requests to it. That way you achieve the same level of protection without moving the file and without expanding open_basedir.
    just add the following piece of code to the .htaccess file on your website root:

    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

Here is my advice: do not move wp-config.php. there is no reason to move it when you can just deny HTTP requests to it from htaccess. That way you get the same level of protection without having to expand open_basedir.

Will securing wp-config.php make your website 100% bulletproof? certainly not. But it’s one more security measure that might discourage an attacker.

Don’t get too invested in securing this file though, because getting it’s content displayed as plain text is something very uncommon and it means that your servers security has been compromised anyway. Do not give priority to such a minor issue while ignoring stuff that really matters like keeping wordpress updated and using strong passwords.

facebook comments: