WordPress Move wp-config.php


The most sensitive information of a WordPress install is stored in the wp-config.php file. If a hacker gets access to this file then they have total control of your website.

By default wp-config.php is stored in the WordPress install folder. To make this file harder to steal you can move it out of the web accessible folder. If you move it just one folder above, WordPress will automatically find it. If you move wp-config.php to a different location, create an empty file called wp-config.php in the WordPress installation folder. Then add the following:

define('ABSPATH', dirname(__FILE__) . '/');
// '../../wp-config.php' defines location two folders above installation folder.
// Substitute with actual location of wp-config.php file as necessary.
require_once(ABSPATH . '../../wp-config.php');

You may need to make php executable in the folder you place wp-config.php in. You should make php executable in as few folders as possible. A good system puts the WordPress install in /path/to/wordpress/install/ and the config in /path/to/wordpress/config. You'd make sure the config folder is not web accessible and don't place any other sensitive information would be placed in /path/to/ or higher in the folder hierarchy. In that case you'd write a line similar to the following in your php.ini:

open_basedir = "/path/to/wordpress/install/;/path/to/wordpress/config"

This technique is controversial and some people don't think it enhances security. Extensive discussion on the topic can be read at this WordPress StackExchange question.