Move wp-config.php Outside the Public Folder for Better Security

WordPress allows you to move the wp-config.php file one level above the public_html directory to hide its sensitive content and add an extra layer of protection.

Why Move `wp-config.php`?

Moving the wp-config.php file outside of the document root is a quick and simple method to secure important configuration details from potential malicious access.

This file contains your database credentials and authentication/salt keys—essential for WordPress security.

INFO: WordPress authentication or salt keys are encrypted elements that protect login session data by hashing them securely.

In every WordPress installation, wp-config.php resides in the document_root:

In Plesk: this is typically the httpdocs folder.
In cPanel: it’s usually public_html.
In other control panels, you may see it as webroot.

For consistency, we’ll refer to it as httpdocs in this guide.

Document Root Structure

The httpdocs folder is the top-level directory accessible by the system user via SSH or FTP. Navigating above it is not allowed via SSH/FTP and is only visible from the file manager in the control panel.

How Can `wp-config.php` Be Compromised?

Normally, PHP files are not readable by browsers—they only output the rendered HTML. However:

If the server stops parsing PHP (e.g., due to misconfiguration), the contents of wp-config.php might be displayed as plain text.
A malicious file might be uploaded that can read wp-config.php programmatically.

Wordfence reported a large-scale attack in 2020 where attackers scanned for default WordPress paths like httpdocs/wp-config.php to harvest database credentials.

How to Move `wp-config.php`

WordPress supports this operation natively without requiring changes to the core.

Option 1: Simple Move

Just move the file one level above the web root. WordPress will detect it automatically, no further action needed.

Simple Move

Option 2: Enhanced Obfuscation

To further obscure the file:

Create a new folder outside httpdocs with a random name (e.g., tsoukou).
Copy wp-config.php into it.
Rename it to something unique like qwerasdv.php.

Random Folder

Renamed File

In httpdocs/wp-config.php, replace the contents with:

1
2
3
4
5
6


<?php
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');

require_once(ABSPATH . '../tsoukou/qwerasdv.php');

Move wp-config.php Outside the Public Folder for Better Security

Why Move `wp-config.php`?

How Can `wp-config.php` Be Compromised?

How to Move `wp-config.php`

Option 1: Simple Move

Option 2: Enhanced Obfuscation

Close the Comments on Your WordPress Page If You Do Not Use Them

What Is DNS TTL? Simple Explanation and Best Practices

Categories

Recent Posts

Preview Your Website Before Changing DNS Using the Hosts File

What Is DNS TTL? Simple Explanation and Best Practices

Move wp-config.php Outside the Public Folder for Better Security

Close the Comments on Your WordPress Page If You Do Not Use Them

Hello World

Tags

Move wp-config.php Outside the Public Folder for Better Security

Why Move wp-config.php?

How Can wp-config.php Be Compromised?

How to Move wp-config.php

Option 1: Simple Move

Option 2: Enhanced Obfuscation

Close the Comments on Your WordPress Page If You Do Not Use Them

What Is DNS TTL? Simple Explanation and Best Practices

Categories

Recent Posts

Preview Your Website Before Changing DNS Using the Hosts File

What Is DNS TTL? Simple Explanation and Best Practices

Move wp-config.php Outside the Public Folder for Better Security

Close the Comments on Your WordPress Page If You Do Not Use Them

Hello World

Tags

Why Move `wp-config.php`?

How Can `wp-config.php` Be Compromised?

How to Move `wp-config.php`