In WordPress, the wp-config.php file stores your database credentials, authentication keys, and other sensitive configuration details. It’s one of the most critical files in your entire installation and it deserves more protection than most people realize. No one except you (or your server) should ever be able to read or modify it.
In this article, I’ll walk you through three simple steps to secure your wp-config.php file and strengthen the overall security of your WordPress site.
Set strict permissions
After completing your WordPress installation, it’s a good idea to set the file permissions for wp-config.php to 400. This makes the file readable only by its owner — typically the system user under which your web server runs — and prevents anyone else, including other users or background processes, from viewing or modifying its contents.
SSH into your server and run the following command to update the file permissions:
sudo chmod 400 /var/www/public/wordpress/wp-config.phpCode language: Bash (bash)Make sure to replace /var/www/public/wordpress/ with the actual path to your WordPress installation.
Moving wp-config.php Outside the Web Root
Another effective way to protect your wp-config.php file is to move it one level above your WordPress root directory, keeping it inaccessible from the internet. By default, WordPress looks for wp-config.php in two places:
- Inside your main WordPress directory, and
- One directory above it.
That means you can safely move it without breaking your site — WordPress will find it automatically.
For example, if your current structure looks like this:
/var/www/public/wordpress/wp-config.phpCode language: plaintext (plaintext)You can move it one level up:
/var/www/public/wp-config.phpCode language: plaintext (plaintext)From the terminal, enter this command to move the file (replace /var/www/public/wordpress/ with your actual path):
sudo mv /var/www/public/wordpress/wp-config.php /var/www/public/Code language: Bash (bash)This simple change keeps your wp-config.php file outside the publicly accessible web directory, so even if your web server misbehaves and tries to serve PHP files as plain text, your wp-config.php remains safely out of reach.
Although some people question whether this method offers real benefits, there’s an excellent discussion on Stack Exchange that covers both sides in depth. Personally, I lean toward the “move it” camp — it’s simple, safe, and adds an extra layer of protection. And honestly, since it takes less than a minute and carries no downside, why not do it?
Block Access to wp-config.php in Nginx and Cloudflare
This method is optional but still recommended. The idea is to use Nginx and Cloudflare to block all access to wp-config.php. Since the file has already been moved outside the web root — making it inherently inaccessible from the internet — these blocking rules may seem redundant.
However, adding another layer of protection is always a smart move. You might still want to include these rules because:
- Explicit Nginx or Cloudflare rules add defense in depth without any downside.
- Even though the rules won’t trigger when the file is outside the web root, they can protect you if a backup, staging site, or plugin accidentally places a duplicate
wp-config.phpinside/wordpress/again. - Or when you forget to move the file.
They are free to implement and add a simple but valuable safety net.
With Nginx
Open the Nginx config file — typically /etc/nginx/sites-enabled/default — and add this location in the server block:
location ~* /wp-config\.php {
deny all;
return 403;
}Code language: Nginx (nginx)With Cloudflare
Go to Cloudflare → Security Rules and add a new rule, then Save:
- Field:
URI Path - Operator:
contains - Value:
wp-config.php - Action:
Block
With these measures in place — Cloudflare filtering at the edge, Nginx blocking at the server level, and restrictive file permissions — your wp-config.php file becomes effectively unreachable to any external actor.
Done.