Easy-to-follow video tutorials help you learn software, creative, and business skills.Become a member

Protecting the configuration file

From: WordPress 3: Developing Secure Sites

Video: Protecting the configuration file

In this screencast, we improve site security by protecting the WordPress configuration file. As seen here, the configuration file is located in the root directory of our WordPress installation. It contains the username and database name and password for our database, as well as other super-sensitive information. This file is essentially the key to WordPress, and so it's mission-critical to keep it safe and secure. Here are two good ways of protecting the configuration file: restricting access via htaccess and restricting access via file permissions.

Protecting the configuration file

In this screencast, we improve site security by protecting the WordPress configuration file. As seen here, the configuration file is located in the root directory of our WordPress installation. It contains the username and database name and password for our database, as well as other super-sensitive information. This file is essentially the key to WordPress, and so it's mission-critical to keep it safe and secure. Here are two good ways of protecting the configuration file: restricting access via htaccess and restricting access via file permissions.

So let's return to the FTP editor and close the wp-config file and protect it with the htaccess code provided in this screencast. Just copy and paste beneath any existing rules in your htaccess file, as seen here, and then save and upload the file to your server. Returning to the Browser, let's check to make sure that our site is still working, that everything looks good still. We have the homepage, loads fine, single post works great, and we click around and see that everything is working great.

Now, let's check the actual configuration file and see what happens if somebody tries to access it directly. In the address bar of your browser, enter the installation directory of WordPress, followed by /wp-config.php, and hit Enter. We see a 403 Forbidden error, as expected. This means that the configuration file is now protected at the server level using our slice of htaccess code. Once the htaccess file is in place, we also want to ensure that file permissions are set to 640 or 644 for both wp-config and htaccess files.

These numbers correspond to the types of things that users can do with their files. In general, the lower the number, the less users may actually do with the file. For WordPress the recommended permission settings for folders is 755, and for files, it's 644 or less. So a setting of 644 for wp-config and htaccess allows WordPress to access the files, while returning the 403 Forbidden error to all external requests. So with our htaccess code in place, let's return to the browser and go look at the files on the server.

Here in the browser we're looking at the list of files and directories in the root directory of our WordPress installation, and here is the htaccess file. So if we look over in the Permissions column, we see rw-r--r--, so we click that. What does this mean? It means that the owner, group, and others can read the file, and the owner can write to the file, but nobody can execute or search the file. What do these permissions mean? So we go to an online conversion tool, like the one here, and we convert the RW values to what's called CHMOD number, by replicating the pattern here. Everyone can read, and the owner can write, which gives us the desired CHMOD value of 644, which is WordPress's recommended permission settings for files.

So now let's return and take a look at the configuration file. We scroll down a bit, and here is our configuration file, and we see that it has the same 644 settings, as shown here in our online tool. So, our wp-config file is now protected, and we are good to go. Normally, good hosts will set the best default permissions for files and directories, so there's really nothing to worry about, but even so, it's a good idea to double-check the settings for these key files. Technically, either of these methods, htaccess or proper file permissions, is going to protect your configuration file just fine.

So if you can't get into your server control panel right away, just adding the htaccess code is going to work perfectly well to keep it safe. In this screencast, we've seen how to protect the WordPress configuration file against malicious attacks. Two techniques are combined for maximum paranoid protection, but either one will do the job just fine. Just remember, the goal is to restrict access to the WordPress configuration file to help keep it and your site safe and sound.

Show transcript

This video is part of

Image for WordPress 3: Developing Secure Sites
WordPress 3: Developing Secure Sites

36 video lessons · 11404 viewers

Jeff Starr
Author

 

Start learning today

Get unlimited access to all courses for just $25/month.

Become a member
Sometimes @lynda teaches me how to use a program and sometimes Lynda.com changes my life forever. @JosefShutter
@lynda lynda.com is an absolute life saver when it comes to learning todays software. Definitely recommend it! #higherlearning @Michael_Caraway
@lynda The best thing online! Your database of courses is great! To the mark and very helpful. Thanks! @ru22more
Got to create something yesterday I never thought I could do. #thanks @lynda @Ngventurella
I really do love @lynda as a learning platform. Never stop learning and developing, it’s probably our greatest gift as a species! @soundslikedavid
@lynda just subscribed to lynda.com all I can say its brilliant join now trust me @ButchSamurai
@lynda is an awesome resource. The membership is priceless if you take advantage of it. @diabetic_techie
One of the best decision I made this year. Buy a 1yr subscription to @lynda @cybercaptive
guys lynda.com (@lynda) is the best. So far I’ve learned Java, principles of OO programming, and now learning about MS project @lucasmitchell
Signed back up to @lynda dot com. I’ve missed it!! Proper geeking out right now! #timetolearn #geek @JayGodbold
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ.

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

Join now "Already a member? Log in

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed WordPress 3: Developing Secure Sites.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferencesfrom the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Are you sure you want to delete this note?

No

Your file was successfully uploaded.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.