Simplest way to move your wp-config.php file to another location in WordPress for security

Protecting your WordPress website from hackers is very essential in day to day world because hackers are increasing now. Thousands of WordPress blogs get hacked daily due to poor security and hosting company issues.

wordpress-security simplyfied

Img: credit

What is wp-config.php?


WordPress is just an operating system very similar our famous window operating system. As in case of window there are many files which required running the windows. Similarly WordPress has many .php files that have their own functions. The wp-config.php file is present in self hosted WordPress site and it is used for storing many confidential parameters like WordPress database name, password, authentication keys etc. first time run of any WordPress installation creates the wp-config.php file.

How to protect your WordPress website by moving the wp-config.php t another secrete location?


After discussing too many possibilities of hacking we should have a perfect way to protect your wp-config.php file. The best way to protect the wp-config.php file from hackers is that move it to another location which is not accessible from area outside of cPanel. Because the cpanel is only accessible to the website owner and it will be better for that.

Procedure to change the default location of wp-config.php in WordPress:

First this is that the wp-config.php is located in your main root folder of the hosting under public_html. So in simple language it is

We change its location to a area which is outside of public_html.

  • Inside your cpanel click on file manager and click on home and create another folder outside the public_html area.
  • Then move your original wp-config.php file to this folder. (In this I created a folder name conff) See the image

 move wp-config.php file

  • Create a file name wp-config.php in your pc by using the notepad and paste the following code in it.

move wp-config.php

[php]<!–?php <br ?–>include(‘/home/<strong>YOURUSERNAME</strong>/conff/wp=config.php’);

In above code replace the YOURUSERNAME with your one. See the image for more detail.

  • Now upload the file in your public_html  at where your original wp-config.php file was.

So now we have successfully changed the default location of your file.

Possible Errors during this method:

  • Fatal error message:

If you are getting this type of error

Fatal error: Call to undefined function wp() in /wp-blog-header.php on line xx

That means you have not written the correct usename and the path to your new location of wp-config.php. So check the path and usename.


  • Error saying that there is no wp-config.php file:

If you are getting such error then it means that you have not uploaded that new wp-config.php file to your cpanel public_html .

If you still facing any error feel free to comment here.

Some wordpress related post that you must read:

Join Our Newsletter

Join over 5,000 people who get free and fresh content delivered automatically each time we publish.

About Tushar Thakur

Tushar is founder of Xtendedview. He love to experiments on different gadgets, software/apps. He is professional blogger and Internet marketer. He is Interested in electronics and computers, Internet technology, Search Engine Optimization, Internet Marketing. Running online business and Blogs

Tushar has written 230 awesome articles for us.


  1. Hi there,

    A great basic way of keeping out the automatic hacker bots, is by changing the WordPress table prefix.

    The WordPress table prefix is wp_ by default. You can change this prior to installing WordPress by changing the $table_prefix value in your wp-config.php file.

    If a hacker is able to exploit your website using SQL Injection, this will make it harder for them to guess your table names and quite possibly keep them from doing SQL Injection at all. SQL Injection happens when a developer accepts user input that is directly placed into a SQL Statement and doesn’t properly filter out dangerous characters.

    This can allow an attacker to not only steal data from your database, but also modify and delete it. Make sure you take a good backup before doing this though, and perform it at your own risk.



  2. instead of using the ‘home/username/conff/wp-config.php’ that reveals the username

    use ‘../conff/wp-config.php’

Previous Post:
Next Post: