Hardening the wp-config.php File for Enhanced Security

To harden the wp-config.php file for enhanced WordPress security, you should:

• Move wp-config.php one directory level above the WordPress root directory so it is not directly accessible via the web. WordPress will automatically detect it there, and this prevents direct URL access to this sensitive file containing database credentials and security keys.

• Restrict access to wp-config.php using server rules, such as adding directives in your .htaccess file (for Apache servers) to deny all external access. For example:

  <Files "wp-config.php">
    Require all denied
  </Files>
  

  or, for older Apache versions:

  <Files wp-config.php>
    order allow,deny
    deny from all
  </Files>
  

  This blocks unauthorized HTTP requests to the file.

• Set strict file permissions on wp-config.php, typically 400 or 440, so only the file owner and the web server can read it, preventing other users on the server from accessing it.

• Disable file editing from the WordPress dashboard by adding the following line to wp-config.php, which prevents administrators from editing plugin and theme PHP files via the dashboard, reducing the risk of code injection if an attacker gains admin access:

  define( 'DISALLOW_FILE_EDIT', true );
  

  This does not stop file uploads but limits a common attack vector.

Additional security measures related to wp-config.php include:

• Enabling automatic WordPress core updates via wp-config.php to ensure security patches are applied promptly:

  define( 'WP_AUTO_UPDATE_CORE', true );
  

• Avoid placing .htaccess blocking rules inside WordPress-managed blocks (# BEGIN WordPress / # END WordPress) to prevent overwriting.

• Consider adding HTTP authentication to sensitive paths if moving wp-config.php is not feasible, adding an extra layer of protection.

These steps collectively reduce the risk of unauthorized access to your WordPress configuration and improve overall site security.