Skip to main content

WordPress security should be your priority and the configuration file is one of the most commonly hacked files. So, let’s take these 3 simple steps to protect the WordPress configuration file from hackers.

The WordPress configuration file holds important structural information for your site. Protecting it from outside access keeps your WordPress website from falling prey to malicious hackers or malware.

If online intruders can access this file, they can completely disrupt the structure and functionality of your website. There are three different, but effective ways you can use to establish effective security barriers around your site.

You can choose one or use all three for extra safekeeping.

Note: After this, we highly recommend protecting your WordPress Installation File.

We highly recommend backing up your website before trying any of these methods.

How to protect the WordPress Configuration file from hackers?

Method 1: Restrict Access to the Configuration File

The first method you can use is restricting access to the configuration file via .htaccess. To use this approach, start by opening the .htaccess file found in the root directory of your WordPress installation.

Then, copy the below provided code:

<Files wp-config.php>
# Apache < 2.3
<IfModule !mod_authz_core.c>
Order allow,deny
Deny from all
Satisfy All
# Apache >= 2.3
<IfModule mod_authz_core.c>
Require all denied

And paste this code anywhere within the .htaccess file within your root directory.

After pasting the code into the file, save and upload to the server.

The next step is checking to make sure the code is working and access to this file is restricted.

In your web browser, type the URL of your wp-config file. The URL path should read as follows: (replace with your domain name)

Hit enter to reveal the 403 Forbidden response.

403 Forbidden Error

This error message means the code works and everything is saved correctly.

Outside access to the WordPress configuration files is prohibited! 

Method 2: Restrict Access Through File Permissions

The second option consists of restricting file permissions to protect the WordPress configuration file.

The way to limit permissions is to set our file permission numbers to 644, 640, or a lower number. You need to fix these numbers for both the wp-config files and the .htaccess file.

These numbers are a direct correlation to what users are allowed to do within the files. Typically, lower numbers equate to fewer permissions.

The WordPress recommended setting is 755 for folders and 644 for files.

So, when you set the wp-config and .htaccess to 644, you allow WordPress to access the data while abnegating external user access.

Use your web host’s server control panel (or FTP client) to view and edit the permissions for any site file. Within the cPenal > File Manager you can check the .htaccess file to see it sets to 644.

Next check wp-config to know if it, too, is set to 644.

Change File Permissions

If you cannot see numerical values in the cPenal (not all server software displays in number form), there are online converters to use to translate the values.

We recommend using

To use, imitate the pattern. The correct conversion allows all users to read the files, but only the site owner can write within or edit the files.

File Permissions Online Conversion Tool

If converted correctly, the CHMOD value equates to 644, which is the desired value.

Now, in your cPenal you can click the check boxes for Read, Write and Execute in case your host provider does not display numeric values.

Just like Method 1, check within your browser to make sure you get the Forbidden error.

Method 3: Moving and Modifying the Files

For advanced users

A final option you can execute is to move and modify the wp-config.php file. While this method is not in the same vein as building walls of protection around the coding, it is an option to consider.

This method is for advanced users, so make sure you know what you are doing! 

The first step is to move the file to a new location.  The simplest way to perform this action is by creating an entirely new file and either drag and drop or use the Move Tool in your File Manager to transfer the data to your newly selected location.

Note: If you move core data, such as your wp-config file, you will have to manually maintain the data in the new location with each update.

Next, you will need to remove any sensitive information from the wp-config file.

Create a new file that is not accessible through a WWW directory; this keeps your files from being accessed from outside visitors.  This directory should look similar to this: home/youruser/.  You want it to before the public directory.

Now, open your wp-config.php file and take any lines of code that contain connection details, security keys, and the database prefix and transfer them into the new file.

Be sure to encompass this transferred code with the <?php and ?>

For example:

define('DB_NAME', 'Your_DB'); // name of database
define('DB_USER', 'DB_User'); // MySQL user
define('DB_PASSWORD', 'DB_pass'); // and password
define('DB_HOST', 'localhost'); // MySQL host
// The WordPress Security Keys
define('AUTH_KEY', 'Your_key_here');
define('SECURE_AUTH_KEY', 'Your_key_here');
define('LOGGED_IN_KEY', 'Your_key_here');
define('NONCE_KEY', 'Your_key_here');
define('AUTH_SALT', 'Your_key_here');
define('SECURE_AUTH_SALT', 'Your_key_here');
define('LOGGED_IN_SALT', 'Your_key_here');
define('NONCE_SALT', 'Your_key_here');
// The WordPress database table prefix
$table_prefix = 'wp_'; // only numbers, letters and underscore

After you have moved all susceptible information to this new folder, set up the following two lines of code in your wp-config.php file to match this:


What these two steps have done is set up your wp-config files, with all security data into two new locations. The coding is all still present but will be read from different places.

Successfully Protected!

Using any of these tactics keeps your wp-config and .htaccess files on lockdown, protected from malignant intentions.

If you don’t want to use all, choose the strategy which works best for you. The protection provided by either method is sufficient on its own. The ultimate goal is to keep access to your most vulnerable files under lock and key.

It may require some long-term maintenance, for example, if you move and modify your files, but knowing hackers can’t reach your information is worth the additional effort.

If you liked this WordPress security tutorial and want to see more like this, please help us by sharing this article with your social media audience!

Now that you have protected your WordPress Configuration file, it is also a good idea to protect the installation files, admin and login sections.

Follow the below simple tutorials to do so!

  1. 3 Easy Ways to Protect Your WordPress Installation File
  2. How to protect WordPress Admin and Login sections
  3. 7 Simple Ways to Secure Your WordPress Website Without Plugins
Skip to content