newhorizon

How to Protect the WordPress wp-config.php Configuration File?

How to Protect the WordPress wp-config.php Configuration File?

Techno Crati's photo
Techno Crati
·

6 min read

Not revealing sensitive information that could compromise a WordPress installation is as important as establishing all the active and passive perimeter measures necessary to guarantee the security of the web.

Consequently, protecting the WordPress wp-config.php file is a way to strengthen the security of the CMS. As the wp-config.php file contains very sensitive information about your WordPress installation, such as WordPress security keys, databases, data log and connection details.

Protecting the WordPress wp-config.php file is a task that, although it may seem complex from the theoretical side, in practice it is something simple to do. It allows you to secure minor but important information that avoids sieging a WordPress installation to compromise it.

Table of Contents

  1. What is the wp-config.php file?
  2. Protect the wp-config.php file via .htaccess
  3. Remove sensitive information from wp-config.php
  4. Modify the wp-config.php file
  5. Configuring the correct file permissions for wp-config.php

What is the wp-config.php file?

A file that contains information and key rules for configuring your website with WordPress. It is generated automatically with the name wp-config-sample.php when you install WordPress.

It includes the database configuration, the security keys ( WordPress Salt Keys & Site Security ), the database prefix, the option to enable debugging mode and some more details. But the best thing is that it allows you to include advanced settings that can benefit your website in terms of security or performance, among other things.

It is a very important file, so do not forget to make a copy of it if you dare to make changes.

Protect the wp-config.php file via .htaccess

It is the fastest, easiest to apply and effective solution. To carry it out you can follow these steps:

Rank-Math-Htaccess-Editor.png

  • Access via FTP or from the File Manager of your Hosting panel to your website and download (FTP) or edit the hidden .htaccess file (If you do it through FTP, if you can, use better SFTP to encrypt the communication between the computer and the server).

  • With a text editor such as Notepad opens the file .htaccess, or from the Code Editor of the File Manager in your Hosting Panel edit it.

  • Paste the following code in your .htaccess file to deny access to the wp-config.php file, (add it to the end of the file):

# protect wpconfig.php <files wp-config.php> order allow, deny deny from all </files>

Once you have made the changes (via FTP) to the .htaccess file you can upload it back to the root of your website to overwrite the old one. If you used the File Manager Code Editor from your hosting panel, simply click "Save."

Remove Sensitive Information from wp-config.php

To remove sensitive information, you have to create a new config.php file. Creating a new WordPress settings file and hosting it outside of the user folder is a recommended measure that is not very complicated and more secure for sensitive data.

Either via FTP or from the File Manager of the host panel we can create a new file called "config.php". Ideally, this file should be created in a directory accessible without www, for example, if your blog or web content is in / home / your_user / public_html /, you can create the config.php file in / home / your_user / so that the file may not be accessible by your visitors. The normal thing is that it is in a directory before public_html or www (symbolic directory of / public_html).

Open the existing wp-config.php file and copy the lines containing the details of the database connection, the database prefix and also the WordPress security keys from the wp-config.php file to the new config.php file. Don't forget to add <? Php to the beginning of the new config.php file and ?> To the end of the file.

<? php define ('DB_NAME', 'your_database'); // database name. define ('DB_USER', 'your_database_user'); // name of the database user. define ('DB_PASSWORD', 'DB_password_password'); // database password. define ('DB_HOST', 'localhost'); // Host MySQL // The WordPress Security Keys - WordPress security keys define ('AUTH_KEY', 'put your random phrase here'); // Change this to your random phrase. define ('SECURE_AUTH_KEY', 'put your random phrase here'); // Change this to your random phrase. define ('LOGGED_IN_KEY', 'put your random phrase here'); // Change this to your random phrase. define ('NONCE_KEY', 'put your random phrase here'); // Change this to your random phrase. define ('AUTH_SALT', 'put your random phrase here'); // Change this to your random phrase. define ('SECURE_AUTH_SALT', 'put your random phrase here'); // Change this to your random phrase. define ('LOGGED_IN_SALT', 'put your random phrase here'); // Change this to your random phrase. define ('NONCE_SALT', 'put your random phrase here'); // Change this to your random phrase. // The WordPress database table prefix - Prefixes of the database tables $ table_prefix = 'wp_'; // only numbers, letters and underscore at the end. ?> // Change this to your random phrase. define ('LOGGED_IN_SALT', 'put your random phrase here'); // Change this to your random phrase. define ('NONCE_SALT', 'put your random phrase here'); // Change this to your random phrase. // The WordPress database table prefix - Prefixes of the database tables $ table_prefix = 'wp_'; // only numbers, letters and underscore at the end. ?> // Change this to your random phrase. define ('LOGGED_IN_SALT', 'put your random phrase here'); // Change this to your random phrase. define ('NONCE_SALT', 'put your random phrase here'); // Change this to your random phrase. // The WordPress database table prefix - Prefixes of the database tables $ table_prefix = 'wp_'; // only numbers, letters and underscore at the end. ?>

Modify the wp-config.php file

After removing all the sensitive data from the wp-config.php file, now you just have to add the following straight line after <? Php in the include file ('/ home / your_user / config.php'); . So the first two lines of your wp-config.php file should look like this:

<? php include ('/ home / your_user / config.php');

With this change, instead of having all the sensitive information stored in the wp-config.php file, the aforementioned file will be reading this information from a different place, where the information to be protected is located in the config.php file.

Keep in mind that the path/home/your_user/varies from one web server to another, so if you are not sure what the absolute path of your website is, check with the Support Department.

Configuring the correct file permissions for wp-config.php

The wp-config is one of the most sensitive files in the whole directory because it contains all the necessary information about the basic configuration. It also includes database connection information. The appropriate file permission for this file will be 400. This means that the user and groups have read-only permission and others will not be able to access the file.

Final Thoughts

WordPress security is always a concern of many business owner who running a business. Because WordPress widely used CMS but also attacked by hackers due to some vulnerability in theme or plugin. You must know the prevention WordPress website from hacking .

Thank You for reading this.

WordPressSecurity