4 Ways: How to protect wp-config.php of your WordPress from hackers- simplified

WordPress is now the most using CMS all over world. So obviously the WordPress hackers are increased. This post will guide you to protect your WordPress from those hackers who interested to target your main security file named wp-config.php. We will see the different methods to protect wp-config.php file.

Image Rights reserved at respected owner.

What is wp-config.php?

The wp-config.php is a file inside your WordPress supporting files directory. It has the username and passwords for the MySql database, special signature of authority.

To know about wpconfig.php read this post:

Why hackers target wp-config.php mostly?

As mentioned above the file contains very sensitive and important password information the first target of any hacker is to edit or modify the wp-config.php file. Once the hacker got the access to this file it can harm your site in any way. It can delete your post or anything that harm your site.

What hackers can do after modifying your wp-config.php file?

  • They can delete your post
  • Add likes to any porn or spam websites behalf of you
  • Delete your hosting files.
  • Modify users of site.
  • Run illegal script on your site.
  • De-index you from search engines from Google.
  • Add 301 permanent redirect to your all site’s url to any other url

1)      By using .htaccess method:

.htcaccess is a file that exists inside the root directory of your hosting. This file can use to set control the visitors that coming in the root directory.

This is very simple.

Go to your root directory i.e. where your wp-config.php saved and you will find file named “.htcaccess” just edit it and add the following code to it.

<Files wp-config.php>
order allow,deny
deny from all

2)        By moving wp-config.php to other location:

To see how this can be done read this post:

3)       By setting permissions 644 from cpanel:

By default the permission all WordPress core files are set to 644 but sometimes when you edit files inside your cPanel and save it again the permission may change. It is very important to check the permissions because it you change the permission of any file by mistake then it will be very easy for hackers to hack your WordPress.

See image below, It is taken from file FTP client:

change wp file permission

change wp file permission

4) Set your own Secret keys inside wp-config.php file

Wp-config.php has many security keys. They are nothing random phases used for the security reasons. Use your own custom security keys can stop any hacking attack to your WordPress. You can generate random keys here.

Recommended Readings:

Join Our Newsletter

Join over 5,000 people who get free and fresh content delivered automatically each time we publish.

About Tushar Thakur

Tushar is founder of Xtendedview. He love to experiments on different gadgets, software/apps. He is professional blogger and Internet marketer. He is Interested in electronics and computers, Internet technology, Search Engine Optimization, Internet Marketing. Running online business and Blogs

Tushar has written 230 awesome articles for us.


  1. Very useful tips Tushar. Well WordPress blogs are easy to hack

  2. Very useful information, and quite on time for my site. Thanks!

  3. Can you tell me where to paste that code in htaccess?

  4. thanks for this useful information. please tell me where to paste .htaccess code ?

  5. how to protect wordpress blogs especially from sql injection attacks?

Previous Post:
Next Post: