The wp-config file is a powerful core WordPress file that is vital for running your website. It contains important configuration settings for WordPress, including details on where to find the database, login credentials, name and host. This config file is also used to define advanced options for database elements, security keys, and developer options.
In this post, we’ll outline some important website hardening recommendations for your wp-config file and explain exactly how to safely update it to avoid sensitive data exposure.
How to harden WordPress with wp-config
There are a few tricks that you can implement for your wp-config.php file that can help you improve your security and harden your WordPress website.
1 – Restrict access to wp-config
New WordPress owners will always want to start with restricting access to wp-config in the first place.
Move your wp-config file one directory level above the root folder to prevent it from being accessible to the internet. If wp-config does not exist in the root folder, WordPress will automatically look for this file in the folder above the root directory.
If you use a server with .htaccess, you can add a rule at the very top to deny access to anyone surfing for it.
Here are the directives for Apache 2.4:
<FilesMatch "wp-config\.php"> Require all denied </FilesMatch">
2 – Enable automatic WordPress updates
Enabling automatic updates will ensure that your WordPress site always contains the latest security patches. Simply add the following snippet to your wp-config:
define( ‘WP_AUTO_UPDATE_CORE’, true );
Be sure to implement automatic backups so that you can easily recover your website in the event of an emergency or in the off-chance that an update causes issues.
3 – Setup salts and keys
The wp-config file includes a section dedicated to authentication salts and keys which can improve the security of cookies and passwords that are in transit between your browser and the web server.
You can set up your keys by including or editing these lines after the other define statements in your wp-config.php file:
define(‘AUTH_KEY’, ‘include salt here’); define(‘SECURE_AUTH_KEY’, ‘include salt here’); define(‘LOGGED_IN_KEY’, ‘include salt here’); define(‘NONCE_KEY’, ‘include salt here’);
4 – Set file permissions for wp-config
Since the wp-config file contains incredibly sensitive information, you’ll want to ensure that file permissions are defined to prevent unauthorized access and modification. Something along the lines of 600 should be sufficient, but you can start with 400 with the understanding that you might need to escalate permissions if you run into problems.
A good rule of thumb is to start with the least permissive configuration and only escalate permissions when necessary. You should never set permissions for anything to 777 unless you are an expert or have a really good reason for doing so.
5 – Disable plugin and theme installers
You can also use wp-config to define essential information about WordPress plugins or themes.
For example, website owners may want to use wp-config to disable both the theme and plugin file editors and installers by simply adding the following lines to their wp-config file.**
define( 'DISALLOW_FILE_EDIT', true ); //disables file editor define( 'DISALLOW_FILE_MODS', true ); //disables both file editor and installer
** It’s important to note that this will also prevent plugin updates. You will still be able to perform maintenance tasks using wp-cli, or manually via FTP.
Since attackers often take advantage of theme and plugin installers to install backdoors, this simple trick can make it harder for bad actors to create fake plugins to maintain unauthorized access.
These are just a few examples of how powerful the wp-config file can be in improving your website’s security — and we’ve outlined an extensive list of other WordPress hardening techniques in our guide.
What’s especially imperative is that website owners understand how to safely edit and rename their file, otherwise it can lead to a broken website or sensitive data exposure.
How to Safely Rename wp-config to Avoid Data Exposure
While troubleshooting a problem, you may need to temporarily rename your wp-config.php file.
For example, after updating settings or database login credentials you may want to test a new file, so you temporarily rename your existing one to save the configuration.
What some admins may not know is that renaming the wp-config.php file by appending text at the end of the file extension can dump the source code and expose the contents of the file.
A PHP file needs to have the extension .php in order to properly execute the PHP code. Appending text to an existing file extension (like wp-config.php) prevents the PHP interpreter from reading and executing the code.
When text is appended to the end of the PHP file extension, the interpreter will (in most cases) dump the contents of the code from the renamed PHP file — allowing any attackers to retrieve all of your sensitive data from the renamed file with a simple GET request.
Let’s go over an example.
- You rename wp-config.php to wp-config.good while making some tests to your WordPress configuration files.
- The contents of wp-config.php are dumped into your new file and easily accessible.
- An attacker uses automated tools to crawl websites and sends GET requests for common file name variations.
- Bad actor identifies your MySQL database login information and obtains unauthorized access to your environment.
The unfortunate reality is that many hackers use automated tools like AnonymousFox to easily scan and identify their victims. Since attackers don’t know exactly how you might have renamed your wp-config.php file, they simply run a list of the most common renamed wp-config files.
As an example, here are some of the most common filename variations that attackers crawl for:
/wp-config.bak /wp-config.good /wp-config.php_ /wp-config.php~ /wp-config.php.0 /wp-config.php.1 /wp-config.php_1 /wp-config.php.2 /wp-config.php.3 /wp-config.php.4 /wp-config.php.5 /wp-config.php.6 /wp-config.php.7 /wp-config.php.8 /wp-config.php.9 /wp-config.php.a /wp-config.php.b /wp-config.php.backup /wp-config.php-bak /wp-config.php.bak /wp-config.php_bak /wp-config.php.bak1 /wp-config.php.bk /wp-config.php.cust /wp-config.php.disabled /wp-config.php.new /wp-config.php_new /wp-config.php.old /wp-config.php_Old /wp-config.php.orig /wp-config.php_orig /wp-config.php-original /wp-config.php.original /wp-config.php_original /wp-config.phporiginal /wp-config.php.save /wp-config.php.swn /wp-config.php.swo /wp-config.php.swp
By simply being aware of this technique and implementing best practices, you can sidestep this issue and prevent attackers from accessing sensitive data from your wp-config file.
The easiest way to prevent this issue in the first place is to rename your wp-config.php file by prepending text to it.
For example, instead of wp-config.php -> wp-config.good, try good-wp-config.php.
This applies not only to webmasters, but also web hosts or support providers who might be making this mistake during routine troubleshooting.
Web application firewalls can also help you deter any requests sent to wp-config.php or its renamed variants. Depending on your firewall provider, you may need to create a custom rule to block malicious activities.
The Sucuri web application firewall blocks these types of wp-config.* enumeration requests by default.