WordPress is now the most using CMS all over world. So obviously the WordPress hackers are increased. This post will guide you to protect your WordPress from those hackers who interested to target your main security file named wp-config.php. We will see the different methods to protect wp-config.php file.
Image Rights reserved at respected owner.
What is wp-config.php?
The wp-config.php is a file inside your WordPress supporting files directory. It has the username and passwords for the MySql database, special signature of authority.
To know about wpconfig.php read this post:
Why hackers target wp-config.php mostly?
As mentioned above the file contains very sensitive and important password information the first target of any hacker is to edit or modify the wp-config.php file. Once the hacker got the access to this file it can harm your site in any way. It can delete your post or anything that harm your site.
What hackers can do after modifying your wp-config.php file?
- They can delete your post
- Add likes to any spam websites behalf of you
- Delete your hosting files.
- Modify users of site.
- Run illegal script on your site.
- De-index you from search engines from Google.
- Add 301 permanent redirect to your all site’s url to any other url
1) By using .htaccess method:
.htcaccess is a file that exists inside the root directory of your hosting. This file can use to set control the visitors that coming in the root directory.
This is very simple.
Go to your root directory i.e. where your wp-config.php saved and you will find file named “.htcaccess” just edit it and add the following code to it.
deny from all
2) By moving wp-config.php to other location:
To see how this can be done read this post:
3) By setting permissions 644 from cpanel:
By default the permission all WordPress core files are set to 644 but sometimes when you edit files inside your cPanel and save it again the permission may change. It is very important to check the permissions because it you change the permission of any file by mistake then it will be very easy for hackers to hack your WordPress.
See image below, It is taken from file FTP client:
4) Set your own Secret keys inside wp-config.php file
Wp-config.php has many security keys. They are nothing random phases used for the security reasons. Use your own custom security keys can stop any hacking attack to your WordPress. You can generate random keys here.
Rudraksh Pathak says
Very useful tips Tushar. Well WordPress blogs are easy to hack
Thank you for the comment. :))
Very useful information, and quite on time for my site. Thanks!
You are welcome. 🙂
Can you tell me where to paste that code in htaccess?
Just paste the code in the last.
thanks for this useful information. please tell me where to paste .htaccess code ?
Go to your Cpanel and edit the .htcaccess file and put the code in the last line.
how to protect wordpress blogs especially from sql injection attacks?
Rick Ainso says
Valuable piece of content.
Kevin Emma says
Thanks for helping! But I think some plugin will conflict this .htacesss modification, isn’t it right?
Scott Brown says
I am having issues with hackers.
I have tried steps 1, 2 & 3.
I have found that a hacker is injecting code at the start of the wp-config.php file.
Moving this file will not stop this injection as the wp-config.php file is still in the root directory.
Do you have any other suggections?
Tushar Thakur says
Did you tried to contact Hosting provider?