To protect the security of WordPress sites, we need to focus on protecting wp-config.php files. 1. Restrict external access to wp-config.php through server configuration (such as Apache's .htaccess or Nginx configuration); 2. Set reasonable file and directory permissions, and it is recommended that wp-config.php permission be set to 600; 3. Move wp-config.php to the non-public directory above the website root directory to improve security; 4. Ignore this file in the version control system to avoid leakage of sensitive information; 5. Regularly update the security key in wp-config.php to prevent the risk of session hijacking. These measures can effectively improve WordPress security and operate without complexity.
Protect the security of your WordPress site, starting with the most basic files. wp-config.php is one of the most critical configuration files for WordPress, which contains sensitive content such as database connection information, security keys, etc. If this file is acquired by the attacker, the entire website may be controlled. Therefore, protecting the wp-config.php file is an important step in WordPress security protection.
Restrict access to wp-config.php
The most common practice is to prohibit external access to this file through a server configuration (such as .htaccess or Nginx configuration).
For users using Apache, adding the following code to the .htaccess file can prevent anyone from accessing directly through the browser:
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>If you are using Nginx, you can add it to the site configuration:
location ~ /wp-config.php {
deny all;
}In this way, even if others know the file path, they cannot directly access it.
Also, make sure that your WordPress installation directory permissions are set reasonably:
- Set folder permissions to 755
- Set file permissions to 644
- In particular, wp-config.php itself is recommended to set to 600, and only the owner can read and write.
Move wp-config.php to a non-public directory
WordPress allows you to place the wp-config.php file outside the root directory of the website. This way, even if the server configuration error occurs, the file will not be exposed.
For example, you can place wp-config.php in a directory that is higher than the root directory of the website, for example:
- Original path:
/var/www/html/wp-config.php - New path:
/var/www/wp-config.php
WordPress will look for this file in the current directory by default. If it is not found, it will look for the previous directory until it is found. So as long as you put the file in the right location, WordPress will still run normally, and externally cannot be accessed through the URL.
Although this method is a little troublesome, it greatly improves security.
Don't expose wp-config.php to version control system
Many developers are accustomed to submitting website code to version control systems such as Git, but once the database username, password, security key and other information in wp-config.php is leaked, the consequences will be serious.
The solution is simple:
- Add
wp-config.phpin.gitignorefile - If you use template configuration files in team collaboration, you can use
wp-config-sample.phpas the template and manually fill in the actual configuration during deployment
In addition, some hosting platforms (such as WP Engine and Kinsta) have hidden wp-config.php by default, and they configure databases and keys through environment variables, which is safer and easier to manage.
Regularly check security keys in wp-config.php
WordPress uses a set of "security keys" to encrypt user login information. If you haven't touched wp-config.php for a long time, the key inside may still be default or has been leaked.
You can go to WordPress Salt Generator to get the new random key and replace the old one. This will not affect the login status of existing users (unless you clear cookies), but will prevent potential session hijacking risks.
The replacement method is very simple:
- Open the link above to generate a new salt value
- Copy and replace the corresponding constant definition in wp-config.php
- Save and upload files
Although this operation is simple, it is very effective.
Basically that's it. As long as you do a good job in access control, storage location, version management and key update, the security of wp-config.php can be greatly improved. Not complicated but easy to ignore.
The above is the detailed content of How to secure the wp-configphp file. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
How to use the WordPress testing environment
Jun 24, 2025 pm 05:13 PM
Use WordPress testing environments to ensure the security and compatibility of new features, plug-ins or themes before they are officially launched, and avoid affecting real websites. The steps to build a test environment include: downloading and installing local server software (such as LocalWP, XAMPP), creating a site, setting up a database and administrator account, installing themes and plug-ins for testing; the method of copying a formal website to a test environment is to export the site through the plug-in, import the test environment and replace the domain name; when using it, you should pay attention to not using real user data, regularly cleaning useless data, backing up the test status, resetting the environment in time, and unifying the team configuration to reduce differences.
How to use Git with WordPress
Jun 26, 2025 am 12:23 AM
When managing WordPress projects with Git, you should only include themes, custom plugins, and configuration files in version control; set up .gitignore files to ignore upload directories, caches, and sensitive configurations; use webhooks or CI tools to achieve automatic deployment and pay attention to database processing; use two-branch policies (main/develop) for collaborative development. Doing so can avoid conflicts, ensure security, and improve collaboration and deployment efficiency.
How to create a simple Gutenberg block
Jun 28, 2025 am 12:13 AM
The key to creating a Gutenberg block is to understand its basic structure and correctly connect front and back end resources. 1. Prepare the development environment: install local WordPress, Node.js and @wordpress/scripts; 2. Use PHP to register blocks and define the editing and display logic of blocks with JavaScript; 3. Build JS files through npm to make changes take effect; 4. Check whether the path and icons are correct when encountering problems or use real-time listening to build to avoid repeated manual compilation. Following these steps, a simple Gutenberg block can be implemented step by step.
How to set up redirects in WordPress htaccess
Jun 25, 2025 am 12:19 AM
TosetupredirectsinWordPressusingthe.htaccessfile,locatethefileinyoursite’srootdirectoryandaddredirectrulesabovethe#BEGINWordPresssection.Forbasic301redirects,usetheformatRedirect301/old-pagehttps://example.com/new-page.Forpattern-basedredirects,enabl
How to flush rewrite rules programmatically
Jun 27, 2025 am 12:21 AM
In WordPress, when adding a custom article type or modifying the fixed link structure, you need to manually refresh the rewrite rules. At this time, you can call the flush_rewrite_rules() function through the code to implement it. 1. This function can be added to the theme or plug-in activation hook to automatically refresh; 2. Execute only once when necessary, such as adding CPT, taxonomy or modifying the link structure; 3. Avoid frequent calls to avoid affecting performance; 4. In a multi-site environment, refresh each site separately as appropriate; 5. Some hosting environments may restrict the storage of rules. In addition, clicking Save to access the "Settings>Pinned Links" page can also trigger refresh, suitable for non-automated scenarios.
How to send email from WordPress using SMTP
Jun 27, 2025 am 12:30 AM
UsingSMTPforWordPressemailsimprovesdeliverabilityandreliabilitycomparedtothedefaultPHPmail()function.1.SMTPauthenticateswithyouremailserver,reducingspamplacement.2.SomehostsdisablePHPmail(),makingSMTPnecessary.3.SetupiseasywithpluginslikeWPMailSMTPby
How to integrate third-party APIs with WordPress
Jun 29, 2025 am 12:03 AM
Tointegratethird-partyAPIsintoWordPress,followthesesteps:1.SelectasuitableAPIandobtaincredentialslikeAPIkeysorOAuthtokensbyregisteringandkeepingthemsecure.2.Choosebetweenpluginsforsimplicityorcustomcodeusingfunctionslikewp_remote_get()forflexibility.
How to make a WordPress theme responsive
Jun 28, 2025 am 12:14 AM
To implement responsive WordPress theme design, first, use HTML5 and mobile-first Meta tags, add viewport settings in header.php to ensure that the mobile terminal is displayed correctly, and organize the layout with HTML5 structure tags; second, use CSS media query to achieve style adaptation under different screen widths, write styles according to the mobile-first principle, and commonly used breakpoints include 480px, 768px and 1024px; third, elastically process pictures and layouts, set max-width:100% for the picture and use Flexbox or Grid layout instead of fixed width; finally, fully test through browser developer tools and real devices, optimize loading performance, and ensure response
