How to Secure Your WordPress Configuration File - dummies

How to Secure Your WordPress Configuration File

Your WordPress configuration files contain private information that you will want to protect against hackers who might find the valuable information stored in the wp-config.php file attractive. If someone with nefarious intent were to get your WordPress database username and password, he could log in and undo everything that you’ve built! Therefore, take whatever steps you can to secure that file so that no one, but you, has access to it. One quick and easy way to do that is to disallow any bots (automated software applications that run on the Internet) access to it and to change the file permissions. To do so, follow these steps:

  1. Log in to your web server via FTP, and then locate and open the .htaccess file to edit it.

    Most FTP programs allow you to open and edit a file on the server by right-clicking the filename and choosing Edit. This opens the file in the default text editor on your computer (either Notepad for Windows or TextMate for Mac).

  2. Add the Deny from all code to the top of the .htaccess file.

    This secures the file from being seen by any bots or search engines on the web:

    <Files wp-config.php>
    Order Allow,Deny
    Deny from all
  3. Save the new .htaccess file and upload it to your web server.

    Your wp-config.php file is hidden from any outside bots or search engines.

  4. Change file permission (chmod) on wp-config.php to 640 as follows:

    1. Connect the FTP client to your web server.

    2. Locate the file you want to CHMOD.

    3. Right-click the file on your web server and choose File Permissions.

    4. The Change File Attributes window appears.

    5. Type 640 in the Numeric Value field.

    6. Click OK to save the file.