How to Protect wp-config.php from Hackers in WordPress

Technical SEO / By / February 6, 2026
How to protect wp‑config.php from hackers in WordPress security guide

The wp-config.php file is the heart of your WordPress site — it contains your database credentials, authentication keys, and other sensitive settings. If hackers access it, they can take over your entire site, inject malware, steal data, or delete everything. With automated attacks targeting known vulnerabilities like exposed config files, protecting wp-config.php is a non-negotiable security step.

At Cope Business, we always secure wp-config.php during our technical SEO audit services and site hardening processes — it’s one of the first things we check to prevent breaches.

This guide explains why wp-config.php is a target, and provides step-by-step methods to protect it using permissions, .htaccess rules, plugins, and best practices — all without advanced technical knowledge.

Why Hackers Target wp-config.php and Why Protect It?

  • Sensitive Data: Contains database username/password, secret keys for authentication
  • Easy Access: If permissions are wrong or server is misconfigured, it’s exposed
  • Common Attack Vector: Bots scan for wp-config.php to exploit
  • Consequences: Full site takeover, data theft, SEO damage from malware

Protecting it reduces risk by 80–90% from basic attacks — combine with strong passwords, 2FA, and regular backups for full security.

Method 1: Set Secure File Permissions (Easiest & Essential)

Incorrect permissions (e.g., 666 or 777) allow anyone to read/edit the file.

Recommended Permission: 600 or 640

  • 600: Owner read/write only
  • 644: Owner read/write, others read only (if your server requires it)

Steps

  1. Access your site via FTP (FileZilla) or hosting file manager (cPanel > File Manager).
  2. Find wp-config.php in the root folder.
  3. Right-click → File permissions or Change Permissions.
  4. Enter 600 (or 640 if 600 causes issues).
  5. Check “Apply to this file only” → Save.
  6. Test: Your site should still work; try accessing yoursite.com/wp-config.php — should show 403 Forbidden or blank.

If using SSH/Terminal:

Bash

cd /path/to/wordpress/root
chmod 600 wp-config.php

Pros: Quick, no plugins, server-level protection.
Cons: May need adjustment on some hosts (contact support if errors).

Method 2: Block Access with .htaccess (Strong Protection)

This prevents direct browser access to wp-config.php.

Steps (Apache Servers – Most Shared Hosting)

  • Open .htaccess in root folder (backup first!).
  • Add this code at the top:
text<Files wp-config.php> order allow,deny deny from all </Files>
  • Save.
  • Test: Access yoursite.com/wp-config.php — 403 Forbidden error.

For NGINX Servers (VPS like DigitalOcean): Add to server config (or ask host):

text

location ~* ^/wp-config.php$ {
    deny all;
}

Pros: Blocks direct access, easy.
Cons: Requires .htaccess edit; not all hosts allow.

Method 3: Use a Security Plugin (Automated & Comprehensive)

Plugins add extra layers like monitoring and auto-protection.

Recommended Plugin: All in One WP Security & Firewall (Free)

  1. Install All in One WP Security & Firewall from Plugins > Add New.
  2. Activate → Go to WP Security > Firewall > Basic Firewall Rules.
  3. Enable Protect wp-config.php file (or similar in other plugins).
  4. Save — plugin adds .htaccess rules automatically.

Alternative Plugin: Sucuri Security (free) or Wordfence (free/pro) — both have file protection features.

Pros: Automatic, includes other security tools.
Cons: Adds one plugin (but worth it for full security).

Additional Best Practices to Protect wp-config.php

  • Move wp-config.php — Place it one directory above root (WordPress auto-detects).
  • Add Extra Security Keys — Generate new authentication keys in wp-config.php (use WordPress.org key generator).
  • Limit Database Access — Use a unique DB user with limited privileges (not full root).
  • Regular Backups — Use UpdraftPlus to backup wp-config.php and database.
  • Monitor Changes — Use security plugins to alert on file modifications.
  • SEO Tip — Secure sites rank better long-term; pair with speed optimizations.

Final Thoughts

Protecting wp-config.php from hackers is a fast, essential security step — start with secure permissions (600/640) and .htaccess blocking, then add a plugin like All in One WP Security for extra layers.

A secure wp-config.php keeps your entire site safe.

Experiencing security concerns or need a full hardening audit? Contact Cope Business for a free technical SEO consultation — we’ll secure your wp-config.php, harden your entire site, and optimize for performance and peace of mind.

Was this article helpful?
YesNo

Related Posts