The most sensitive information of a WordPress install is stored in the
wp-config.php file. If a hacker gets access to this file then they have total control of your website.
wp-config.php is stored in the WordPress install folder. To make this file harder to steal you can move it out of the web accessible folder. If you move it just one folder above, WordPress will automatically find it. If you move
wp-config.php to a different location, create an empty file called
wp-config.php in the WordPress installation folder. Then add the following:
define('ABSPATH', dirname(__FILE__) . '/'); // '../../wp-config.php' defines location two folders above installation folder. // Substitute with actual location of wp-config.php file as necessary. require_once(ABSPATH . '../../wp-config.php');
You may need to make
php executable in the folder you place wp-config.php in. You should make php executable in as few folders as possible. A good system puts the WordPress install in
/path/to/wordpress/install/ and the config in
/path/to/wordpress/config. You'd make sure the config folder is not web accessible and don't place any other sensitive information would be placed in
/path/to/ or higher in the folder hierarchy. In that case you'd write a line similar to the following in your
open_basedir = "/path/to/wordpress/install/;/path/to/wordpress/config"
This technique is controversial and some people don't think it enhances security. Extensive discussion on the topic can be read at this WordPress StackExchange question.