Become Wordpress Professional - Your Ultimate Wordpress Guide

Monday, 18 March 2013

How to protect wp-config and .htaccess file in WordPress

protecting wp-config and htaccess
In this tutorial you will learn about the improving in WordPress site security by protecting the WordPress configuration file that is wp-config.php. The configuration file is the core WordPress site where you Database information is saved and this file sent your current actions from WordPress to Database. WordPress configuration file is located in your online or local host site installation WordPress directory and Usually wp-config.php file looks like

It contains the Username, Database name and password as well as other super set of information. This file is essentially a key to WordPress and this file must be keep safe and secure.

There are two good ways to protecting the wp-config.php file
  • Restricting access via .htaccess
  • Restricting access via file permission

Protect wp-config.php for external requests

Return to your FTP editor and close your wp-config.php file. Protect it via .htaccess providing here. .htcaccess file is also located in the root of your hosting directory

<Files wp-config.php> 
order Allow,Deny 
Deny from all

Copy the above code and paste in your .htaccess file and then save it. Returning to the browser and check your site is still working and everything is fine.

Now check the actual configuration file and write its url and see what happens when someone accesses it directly. In the address bar of your browser enter the installation directory of your WordPress like

Here you see Forbidden error as expected.

" You dont have permission to access /wordpress/wp-config.php on this server "

This means that the configuration file is now protected at the server level using the slice of .htaccess code. 

Protect wp-config.php and .htaccess via file permission 

Once the .htaccess file is placed the then also confirm that file permissions are set to 6 4 0  or 6 4 4 for both wp-config.php and .htaccess file. 

The numbers represents types of things that user can do with their files. In general the lower the number the lesser may actually do with the file. For WordPress the recommended permissions for folder is 7 5 5 and for file is 6 4 4 or less. So settings of 6 4 4 for wp-config.php and .htaccess allows WordPress to access the file and returning forbidden error to all external request.

Lets go back for look up the files on the server and here you see the list of files an directories in the root directory of your WordPress installation. Here you see .htaccess file right click on it and chose Change Permissions 

As in the above image file permission for .htaccess file is 6 4 4 and it is the secured settings, use this for your .htaccess file as well as for wp-config.php. 

So now your .htaccess file and wp-config.php is now protected and you are good to go. Normally the good host can automatically have best file permissions for file directories so you are really nothing to worry about but its a good idea to double check the settings for your files. 

You may also like: Best Hosting for Wordpress

Just remember the goal is to restrict access for your WordPress configurations files to help keep and save your site safe and sound. 


  1. This is a very nice article on htaccess. i like your article.

  2. Hi.. I have a question.

    I installed w3 total cache plugin. To get it working i have to turn off the option htaccess and wp-config writable option.

    So by using the above you mentioned in article..will it help from hackers to access the wp config file...

    Please answer...!


Please Avoid Spamming. Comments will be moderated before they are published.