WordPress is an extremely flexible and powerful content management system that many individuals and organizations rely on for blog hosting, news publications and many other types of websites. Its popularity also means that attackers may target your WordPress site using some of the common weak spots that inexperienced users tend to leave vulnerable. Fortunately, it is not difficult to harden your WordPress installation, and you can start by securing your configuration file: wp-config.php.
One of the first changes you can make is to utilize the .htaccess file you likely already have in your document directory for permalinks. If you do not already have an .htaccess file, create one, and enter the following lines at the top:
# WP-Config protection
Deny from all
This code will prevent outside parties from even attempting to download the contents of your wordpress configuration file. Upon accessing it via a web browser, users will receive a “403 Forbidden” error.
You should also make sure that the general server permissions do not allow anyone but the file owners to access them. Ideally, on a Unix or Linux server, these should be 640 file permissions. Simply run the command:
chmod 640 wp-config.php
If you do not have command line access, you can use your file transfer program to set the permissions to
Many web hosts will already have the default file permissions for files set to something secure like this anyway. If your WordPress installation will not function with 640 permissions, you should consult your web host to discuss the web server’s security.