Join Jeff Starr for an in-depth discussion in this video Protect the configuration file, part of WordPress: Developing Secure Sites .
- [Narrator] In this video, we improve site security by protecting the WordPress configuration file. The configuration file is named wp-config.php, and is located in the root directory of your WordPress installation. The configuration file contains the username and password for your database, as well as other super sensitive information. This file essentially is the key to WordPress, so it's mission:critical to keep it safe and secure. Here are two good ways of protecting your site's configuration file.
You can restrict access to the file via .htaccess, or we can restrict access via file permissions. Either technique is sufficient, but let's do both just to be extra safe. First, open the htaccess exercise file, that's included with this tutorial. We want to copy this code and then paste it into the htaccess file that is located in the root directory of our WordPress installation, as seen here. We want to add the code anywhere in the file, before any existing WordPress rules.
Note that if your site does not yet have an htaccess file in this location, you can add a copy of the blank htaccess file that is included with this tutorial. In any case, once the code is added, we want to save, upload, and return to the browser. Now let's check to see what happens if we try to access the configuration file directly. In the browser, enter the URL of your wpconfig file like so. By default, the URL of a configuration file is the WordPress home URL, forward slash, wp-config.php, as seen here.
So let's go ahead and press Enter, and we get a 403 Forbidden response, as expected. This means that the configuration file is now protected at the Server level, thanks to our htaccess code. So with the htaccess code in place, we also want to ensure that file permissions are set to 644, 640, or less, for both files, wp-config, and htaccess. These numbers correspond to the types of things that users can do with the files.
In general, lower numbers correspond with fewer permissions, and thus represent greater restrictions on the file. For WordPress, the recommended permission settings for folders is 755, and for files, it's 644. So setting a 644 for wp-config, and htaccess, allows WordPress itself to access the files, while denying access to all external requests. Using your webhost's server control panel, you can easily check and change the permissions for any file.
Here I'm using the c panel file manager to look at permissions for files contained in the WordPress root directory. First, we look at the htaccess file, which shows the following permissions. Yes, it shows 644, so that's good. Note, depending on your server software, your file manager may not display numerical values for permissions. So instead of seeing this, you may see something like this, or even this. If this is the case, you can use a free online converter to translate the values.
For example, here is a good converter that you can use. You just emulate the pattern. Everyone can read, and the owner can write. As shown here, you get a CHMOD value of 644, the desired setting for WordPress files, so that's good. Next, let's jump back to our files, and check the permissions of the wp-config file. And we see that its permissions also are set at 644, which is excellent. Normally, good hosts will set the best default permissions for files and directories.
So there should be nothing to worry about. But even so, it's always a good idea to double-check the settings for key files. Technically, either one of these methods, htaccess, or proper file permissions, is going to protect your configuration file just fine. So if you can't get into your server control panel right away, just adding the htaccess code is going to work perfectly well to keep it safe. If in doubt, try to access your wp-config file as shown in this tutorial, and check the results. In this video, we see how to protect the WordPress configuration file against malicious attacks.
Two techniques are combined for maximum protection, but, either one will be just fine. Just remember, the goal is to restrict access to the wp-config file, to help keep it, and your site, safe and sound.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security