Moving Your wp-config.php File
With the correct file permissions and a correctly configured web server, keeping your wp-config.php file in the same public folder as the rest of your blog should be perfectly fine. But, when it comes to protecting your website, security is an onion (or Ogre apparently); the more layers, the more of it you got.
The WordPress Codex affirms this sentiment and recommends that you move your wp-config.php away from its default install location. WordPress.org self-hosted blogs allow you to move your wp-config.php up one level from your blog’s root. That’s all well and good, but for most web servers, one level up from your blog root is still a public_html folder. You’re best off putting it in a folder that’s not a subdirectory of your public_html or WWW folder. That way, the chances of someone reaching it via a web browser or any other HTTP application is virtually nil.
Here’s what you do:
Step 1
Access your WordPress.org site via an FTP program and navigate to the root.
Step 2
Download wp-config.php to your hard drive.
Step 3
Rename it to something other than wp-config.php.
Make it something nonsensical, so someone who stumbles upon it (perhaps someone who has hacked into your shared server via SSH) might not recognize it for what it is. So, instead of calling it “off-site-wordpress-config.php” call it “futurama-fan-fic.php.”
Step 4
Upload your renamed wp-config.php file to a folder above your public_html or www folder. Personally, I created an entire directory for off-site config files. But it’s probably safer to put them somewhere more random.
The most important thing is to put it outside of your www or public_html folder.
Step 5
Open up notepad or your other favorite PHP editor.
Create a new wp-config.php file that contains only the following code:
<?php
include(‘/home/usr/hobbies/futurama-fan-fic.php’);
?>
Replace the directory here with the server location of your renamed wp-config.php file. Note that this isn’t a URL, it’s a path relative to your server location. So, making it:
include(‘www.yourdomain.com/location/futurama-fan-fic.php’);
will NOT work.
As you’ve probably gathered, what this will do is essentially create a “shortcut” to your actual wp-config.php file. So, if someone does hack your wp-config.php file in your WordPress directory, all they’ll find is a file pointing to another file.
For fun, you may want to add a comment that reads:
// Thank you Mario! But our princess is in another castle!
Step 6
Upload your new wp-config.php file to your WordPress root. Overwrite the old one (you backed it up first, right?).
Step 7
That’s it! Navigate to your WordPress.org blog root to ensure that it worked.
If you get an error that reads:
Warning: include(/www.yourdomain.com/location/futurama-fan-fic.php’) [function.include]: failed to open stream: No such file or directory in/home/usr/public_html/blog.com/wp-config.php on line 2
Fatal error: Call to undefined function wp() in /wp-blog-header.php on line 14
Then it means that you typed in the server location wrong in your modified wp-config.php file. If you’re having trouble determining the absolute path of your blog, create a .php file with the following code in it:
<?php echo $_SERVER['DOCUMENT_ROOT']; ?>
This will show you the absolute path for whatever directory the file is in and will also illuminate how to move above the public_html folder.
If you get an error message that reads:
There doesn’t seem to be a
wp-config.php
file. I need this before we can get started. Need more help? We got it. You can create awp-config.php
file through a web interface, but this doesn’t work for all server setups. The safest way is to manually create the file.
Then it means that there’s no wp-config.php file in your WordPress.org root. Double-check that you uploaded the modified wp-config.php to your WordPress.org root or the folder just above it and the renamed wp-config.php file to another location, rather than vice-versa.
Conclusion
Will moving your wp-config.php make your blog bulletproof? Certainly not. But it’s just one of the steps you can take towards making your website or blog more secure. And for me, it helps me sleep better at night—just like putting an extra chain or deadbolt on the door.
Note: Before you go mucking around your file structure, make sure you back things up and feel comfortable with what you’re doing. You could seriously mess up your WordPress blog if you delete the wrong thing. You’ve been warned.
-
Previous Post
How to Disable XML-RPC in WordPress