There is a file in WordPress called wp-config that is very important as it contains (in plain text) all the details of the database, such as the database server name, username and password.
Naturally if anyone can access this file they then have full access to the database where they can run amok changing users, passwords, posts etc.
If you are running a self-hosted WordPress site, the chances are that your wp-config.php is located in the root of the site where the potential exists for anyone to hack into it. There is however a simple way to place it out of sight (and out of site?) altogether.
As yours is a self hosted site, you will have full access via FTP to move files around. However a lot depends on the configuration of your server. If you are lucky, you will have access to the folder underneath your root folder (where the site resides). If that is the case, all you have to do is to move wp-config to that sub-folder. As an example, if your structure is as follows –
This varies from server to server but you’ll get the idea. In this case you will have write access to both ‘httpdocs’ (the site root) and to the folder beneath it (‘web’). So just move wp-config.php from ‘httpdocs’ to ‘web’ and the job is done.. Note however if there is more than one copy of WordPress running in parallel folders this method should never be used, as each copy of WordPress will possibly attempt to read the new copied file. In this case it would be wiser to use the method below.
WordPress has a built in feature that will discover the new location, so there is no need to change anythingn else. The site will continue working as before.
However suppose you don’t have access to the folder beneath the root of the site? Chances are you can see it and can browse it (using FTP) but you cannot write to it?
Using the example above, you can load files into the folder ‘httpdocs’ but you can’t into the folder ‘web’. What now?
Again a simple solution. Create a folder called anything you like. The name is not important. We now have a structure
You have access to ‘httpdocs’ as that is the site root. You also have full access to ‘whatevername’ because you just created it.
Next, copy all the files (and folders) from ‘httpdocs’ to ‘whatevername’. Notice I say copy, and not move.
The next step is to change the root of the site from ’httpdocs’ to ‘httpdocs/whatevername’. This is done by changing the domain settings. In my case, I went to my domain control panel and just added the new folder into the domain pointer and that did the trick.
Once you are happy that the domain pointer is working (I usually check by placing a little piece of code into the files I have just copied up) it is a simple matter of deleting all files and folders in ‘httpdocs’ except wp-config.php and of course the folder where the site now resides. Lastly, delete wp-config from within ‘whatevername’ and the job is done.
There is a very simple test to see whether your wp-config.php is secure – just browse for it! for example, if you type the address
You will get a file not found message (as I have secured it already here). If you just get a blank screen it means the file is still readable and is potentially hackable.
The only way anyone can now access wp-config.php is to either find a way to FTP into the site, or hack into the main server itself and that should be fully secured by your hosting company.