Comments on: WordPress Security Tip - How to Protect the wp-config.php File

By: B

Tue, 27 Dec 2011 17:27:03 +0000

Here ya go Matt! This is a great link to explains the file permissions on both the .htacess and config should be @ 640.

http://digwp.com/2010/08/pimp-your-wp-config-php/

By: Michael

Michael — Sat, 17 Sep 2011 14:42:02 +0000

Updating permalinks in WP updates htaccess. On my system/set-up this causes the protect wpconfig.php directive (and some others) to disappear and just leaves my permalink redirects in htaccess. This may be specific to the order of entries in my file - I don't know, but people may wish to check their htaccess to ensure it's still setup how they want..

By: Matt Fraser

Matt Fraser — Sun, 22 May 2011 08:38:29 +0000

Regina,

What about changing the permissions of your wp-config file to 640 440 or 400?

By: Regina Smola

Regina Smola — Sun, 15 Aug 2010 20:30:31 +0000

Thanks!We are using the StudioPress Corporate Theme customized by David Libovitzi.

By: James Neil

James Neil — Sun, 15 Aug 2010 15:54:27 +0000

Looks like the bad guys are having a field day hacking WP blogs. Glad I found your site to help me avoid being spammed and hacked by the creations.

What theme are you using? I like it.

By: How to secure your WordPress blog?

How to secure your WordPress blog? — Tue, 25 May 2010 23:23:06 +0000

[...] WP-config tip was discovered via WPSecurityLock and DevLounge Pictures courtesy Public Domain Image and The Nosebean’s Blog Share and [...]

By: Henry D'Andrea

Henry D'Andrea — Wed, 12 May 2010 08:13:37 +0000

RT @WPSecurityLock: WordPress Security Tip - How to Protect the wp-config.php File http://bit.ly/9a0Wrq

By: Regina

Regina — Tue, 11 May 2010 17:46:24 +0000

Hi Tina,Thanks for your question. And no, it's not a dumb question. I'm glad you asked.Yes, you can post it directly below your permalink code. Here's an example:

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

# END WordPress

# protect wp-config

order deny,allow
deny from all

Also check your site right away to make sure that it is working. If the code is not put in properly, you will get a Internal Server Error. If this happens, check to make sure you copied it correctly and reupload. If all else fails, email me, I'll help you personally.

By: Tina T

Tina T — Tue, 11 May 2010 17:38:22 +0000

This is probably a dumb question, but since my htaccess file has my permalink structure, can I just paste this code beneath it so that I don't mess with my permalink code? If I do that will my config file still be protected? Thanks.

By: Regina

Regina — Tue, 11 May 2010 17:01:55 +0000

Hello Bogdan,

Thank you for your comment. In light of the fact that the most recent hacker attacks on WordPress sites are changing all server permissions for both directories and files to 777, this will make that file readable, writable and executable. This is just another way to safeguard our sites.

There is a way to move this file outside the root as well. You can find out more here:
http://www.devlounge.net/code/protect-your-wordpress-wp-config-so-you-dont-get-hacked.