How to Secure wp-config.php

Every WordPress site contains a file called ‘wp-config.php’. This specific WordPress configuration file is one of the most significant WordPress files. The “wp-config.php” file holds all the configuration information for your WordPress site, and wp-config.php is a one stop file which can make or break your website. Would you let it compromise?

How to Secure wp-config.php File?

1. Change Database Prefix

WordPress uses the ‘wp_’ prefix for all the tables by default. Changing this to a unique prefix can be helpful in hiding table names and it’ll help secure your WordPress site. It is best that when you first install WordPress, you had to change it database prefix. The wp-config file can be found inside the ‘public_html’ folder. In the ‘wp-config’ file place the following lines:

$table_prefix = ‘wp_’;

You need to change it to something random like: 

$table_prefix = ‘jonlohwp_’;

This will change the name of the tables in the database from ‘wp_users’ to ‘jolohwp_users’, ‘wp_posts’ to ‘jonlohwp_posts’ etc.

However, if you did not change the database prefix yet. You may proceed by going to your hosting control panel via “phpmyadmin”. Select your database name. Then select all tables and select “replace table prefix”.

2. Generate New Secret Keys

The first thing we’re going to do is generate a new set of secret keys. If your site is hacked, changing the secret keys will force every active user to log out automatically. Once thrown out, the hacker losses access to your WordPress admin.

You can do that by going to the secret key generator website that WordPress provides. All you need to do is go to this URL and just hit refresh, and there will be a brand new set of keys generated for you. You can copy these and then paste them straight into your wp-config file, replacing the old keys.

3. Protect .htaccess file (apache only)

Open the .htaccess file using any text editor application. Include the following lines of code in the end of the .htaccess file:

#protect wp-config.php
<files wp-config.php>
order allow, deny
deny from all

These lines basically block access to your wp-config.php from internal hacking and code modification while protecting wp-config.php file. However, if your web server using Nginx this would not be needed because .htaccess only available on apache server.

4. Moving the ‘wp-config.php’

In any WordPress site, the wp-config file has a default location which is within the same root folder of your site. By changing the file location can prevent it from falling into the hand of the hackers. For example, if your WordPress is installed in the public_html folder, then the wp-config file will be present in the public_html folder by default.

Fortunately, WordPress allows the ‘wp-config’ folder to reside outside your WordPress installation. So it is best that you can move the wp-config outside the public_html folder and move it up one level, it’ll work while keeping your WordPress site secure.

5. Set permissions for wp-config.php

The wp-config is one of the most sensitive files in the entire directory since it contains all the information about base configuration and also the database connection information. The appropriate file permission for this file will be 400. This means that the user and groups have permission to only read and others will not be able to access the file.


These are some of the methods to secure wp-config.php file which would secure your WordPress site. You must ensure that your wp-config.php is configured in the above-mentioned steps but this is just one of the many ways to improve your site’s security. A few other security measures that you can take include using a security plugin, using an SSL certificate, using a unique and strong username and password, implementing HTTP authentication which i had posts previously. You ought to read about my previous WordPress articles too.

You may also like...