How to Easily Secure Your wp-config File

  • by:
  • 2 minutes read
There are a number of ways to add better security to your WordPress site. Moving your wp-config PHP file out of the install is a great place to start. In this article, I’ll show you two ways to do it.

Your wp-config.php file stores valuable information such as the location, username, and password of your database, as well as your WordPress authentication keys.

Of course, these are stored as PHP variables and are not shown to the browser, but it’s always good to go an extra step to secure your WordPress websites.

Here are two ways to do it:

Two ways to secure your wp-config file

1. Change the location

If WordPress doesn’t detect this file in the normal install directory, it automatically looks one level up, which is usually a non-public folder.

So a lot of the hosting platforms will have it in a directory like /username/public_html/wp-config.php (with “username” normally being your name).

What you can do is move it out into the public_html folder (which is one level up), so that its directory is /username/wp-config.php.

WordPress will still locate your file, and it will be in a “non-public” folder.

2. Change the file name

The second method is to create a new php file for your wp-config and place an ‘include’ in the original file.

So for example, let’s create a copy of this config file. Then in the /username/ directory, create a folder called dinnertime (or whatever you like). Paste the original wp-config file there and rename it to pizza.php (or again, whatever name you prefer).

We are not moving our original php file yet, but just creating a new copy of it in the /username/dinnertime folder.

Next, remove all the code from the original wp-config file and add an include to the relative path of that pizza.php file.

So in the original file you reference the copy by putting:



Have you found another way to do this? How do you best secure your WordPess website? Let me know below.


** This article may contain affiliate links. Please read the affiliate disclaimer for more details.