How to Protect wp-config.php: Practical WordPress Security Steps for 2026

Written by: Abigail Ivy
Published on:

If you want to strengthen WordPress security, few files matter more than wp-config.php.

This guide explains how to protect wp-config.php with practical steps that reduce exposure and make common attacks much harder.

Why wp-config.php Is a High-Value Target

wp-config.php stores some of the most sensitive information in a WordPress installation, including database credentials, authentication salts, and key configuration constants.

If an attacker gains access to this file, they may be able to connect to the database, escalate privileges, or compromise the entire site.

Because wp-config.php is essential to how WordPress loads, it often becomes a target during file disclosure attempts, misconfigured server access, or weak hosting environments.

Protecting it is one of the most effective ways to reduce the impact of intrusion attempts.

Move wp-config.php One Level Above the Web Root

One of the simplest defenses is to place wp-config.php outside the public web directory.

WordPress can load the file from one directory above the document root in many hosting environments.

This reduces the chance that the file can be reached directly through a browser or exposed through a misconfiguration.

The exact path depends on your hosting setup, but the goal is the same: keep the file outside the publicly accessible directory whenever possible.

  • Confirm your hosting account allows access outside the web root.
  • Test the site carefully after moving the file.
  • Keep a backup before making structural changes.

Restrict File Permissions

File permissions help control who can read, write, or execute a file on the server.

For wp-config.php, the recommended permissions are usually as restrictive as your hosting environment allows while still letting WordPress operate.

Common guidance is to set wp-config.php to 400 or 440 when possible.

In some shared hosting environments, 600 may be appropriate if the web server user owns the file.

Avoid broad permissions such as 644 if a tighter option works on your server.

Permission values at a glance

  • 400: read only for the owner
  • 440: read only for owner and group
  • 600: read and write for the owner only

Test after changing permissions, because overly strict values can break WordPress if the server cannot read the file.

Use Server Rules to Block Direct Access

Even if wp-config.php remains in the web root, you can often block direct access with server-level rules.

This is an important layer of protection because it helps stop casual probing and automated requests.

Apache protection

On Apache servers, administrators often use .htaccess or the main configuration file to deny access to wp-config.php.

This method is effective when implemented correctly and helps prevent remote requests from reaching the file.

Nginx protection

On Nginx, access control is usually handled in the server block.

A deny rule for wp-config.php can prevent browsers and bots from requesting it directly.

If you are using a managed host, ask whether this rule is already in place.

Server rules are not a substitute for good file placement and permissions, but they add another defensive layer.

Limit Exposure Through Hosting and File Ownership

Hosting quality matters.

Shared servers with weak account isolation, poor permission defaults, or outdated software increase the risk of file exposure.

A reliable host should provide account separation, regular patching, and clear guidance on file ownership.

File ownership should be consistent with how your server runs PHP.

If the wrong user owns wp-config.php, permission fixes may not work as intended.

In some cases, insecure ownership leads administrators to loosen permissions unnecessarily, which creates more risk.

  • Use a reputable hosting provider with clear security controls.
  • Verify the PHP handler and ownership model used by your site.
  • Review file permissions after migrations and server changes.

Protect Backup Copies and Staging Environments

wp-config.php is often copied into backups, migration archives, and staging copies.

Those duplicates can become easy targets if they are stored in publicly accessible directories or cloud buckets with weak access controls.

Be careful with automated backup plugins and deployment workflows.

Ensure that archives are encrypted, storage permissions are limited, and test environments do not expose live credentials unless intentionally configured to do so.

Backup safety checklist

  • Store backups in private locations only.
  • Encrypt archives that include wp-config.php.
  • Rotate credentials if a backup is exposed.
  • Delete old staging copies when they are no longer needed.

Harden the Secrets Inside wp-config.php

Protecting the file is important, but protecting its contents is just as critical.

WordPress uses authentication salts and keys to secure sessions and cookies, and these values should be unique and current.

Use the WordPress secret-key generator to create strong salts, and regenerate them after a suspected breach.

If database credentials may have been exposed, update the password at the database level and reflect the change in wp-config.php immediately.

Also review any custom constants in the file.

Some plugins and developers add debugging or integration values that may reveal details about internal systems.

Remove what you do not need.

Disable Editing from the WordPress Dashboard

If an attacker gains access to an administrator account, the built-in theme and plugin editors can be used to alter files.

While this does not directly protect wp-config.php, disabling file editing reduces the number of ways someone can tamper with your installation.

Add the following constant to wp-config.php to prevent dashboard file editing:

define('DISALLOW_FILE_EDIT', true);

This is a simple hardening step that is widely recommended by WordPress security professionals and complements other protection measures.

Monitor for Changes and Unusual Access

File monitoring helps you catch problems early.

If wp-config.php changes unexpectedly, that can indicate a compromise, a bad deployment, or a configuration error.

Use security plugins, server auditing tools, or host-level monitoring to alert you when critical files are modified.

Log review is also valuable, especially for repeated requests targeting wp-config.php or related files such as .env, backup archives, and old configuration copies.

  • Track file integrity for wp-config.php.
  • Review access logs for suspicious requests.
  • Alert on permission changes and ownership changes.

What to Do If wp-config.php Is Exposed?

If you suspect wp-config.php has been exposed, treat it as a security incident.

Start by changing the database password, regenerating WordPress salts, and reviewing administrator accounts for unauthorized changes.

Next, inspect recent plugin installs, theme edits, and file changes.

If the exposure happened through a backup or staging site, remove public access immediately and check whether search engines or crawlers cached the file.

In some cases, you may need to restore from a known-clean backup and rotate all related secrets.

Best Practices for Long-Term WordPress Security

Learning how to protect wp-config.php is part of a broader WordPress security strategy.

The strongest approach combines server hardening, strict permissions, secure hosting, and ongoing monitoring.

  • Keep WordPress core, themes, and plugins updated.
  • Use least-privilege database accounts.
  • Enforce strong administrator passwords and two-factor authentication.
  • Remove unused plugins, themes, and backup files.
  • Audit critical files regularly, especially after migrations.

When these practices work together, wp-config.php becomes much harder to expose, modify, or misuse.