The wp-config.php file is the heart of your WordPress installation. It contains your database credentials, security salts, and core configuration settings. Because it holds the keys to your entire site, it is a primary target for attackers. One of the most debated security hardening techniques is moving this file one directory above your web root.
In this guide, we will explore why you should consider moving your configuration file, the technical implementation details, and the potential downsides you need to weigh before making the change.
Why Move wp-config.php Outside the Web Root?
The primary reason to move wp-config.php is to protect it from being served as plain text. Under normal circumstances, your web server (Apache or Nginx) passes .php files to the PHP interpreter, which executes the code and sends only the output to the browser. Since wp-config.php only defines constants and doesn't output anything, a browser request to your-site.com/wp-config.php usually results in a blank page.
However, server environments are not always stable. Bugs in control panels like Plesk or cPanel, or accidental misconfigurations during server updates, can temporarily disable the PHP handler. If PHP is disabled and your configuration file remains in the web root, any visitor can download it and view your database password and security salts in plain text.
By moving the file one level higher than your public_html or httpdocs folder, you ensure that even if the PHP engine fails, the file is physically inaccessible via a URL request.
How to Move the File Correctly
WordPress is designed with this security measure in mind. By default, WordPress will automatically look for wp-config.php in the directory one level above your WordPress installation if it cannot find it in the root folder.
The Standard Move
If your WordPress site is located in /var/www/vhosts/example.com/httpdocs/, you can simply move the file to /var/www/vhosts/example.com/. No further code changes are required; WordPress will find it automatically.
The "Bridge" Method for Custom Locations
If you want to move the file to a specific subdirectory (e.g., /var/www/vhosts/example.com/secure/), WordPress won't find it automatically. In this case, you can leave a "dummy" wp-config.php in your root folder that points to the real one:
<?php
/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
define('ABSPATH', dirname(__FILE__) . '/');
/** Location of your WordPress configuration. */
require_once(ABSPATH . '../secure/wp-config.php');
Configuring Server Permissions and open_basedir
Moving the file is only half the battle. You must ensure your server has the correct permissions to read the file while preventing others from doing the same.
Adjusting open_basedir
If your server uses the open_basedir restriction (common in shared hosting), PHP may be blocked from reaching files outside the web root. You will need to update your PHP configuration to include the new directory:
open_basedir = "/var/www/vhosts/example.com/httpdocs/;/var/www/vhosts/example.com/secure/;/tmp/"
Setting File Permissions
You should restrict access to wp-config.php so that only the owner and the web server can read it. Typically, a permission level of 400 or 440 is ideal. If you use plugins that need to write to the file (like some caching plugins), you may need to use 600.
Alternative: Protecting the File via .htaccess
If you cannot move the file due to hosting restrictions, you can achieve a similar level of protection using your .htaccess file (for Apache servers). Add this snippet to the very top of your file:
<files wp-config.php>
order allow,deny
deny from all
</files>
This tells the web server to block all external requests for the file, regardless of whether PHP is functioning correctly.
The Counter-Argument: Is it Security by Obscurity?
Some developers argue that moving wp-config.php offers little real benefit. Their reasoning is that if an attacker has gained enough access to read files on your server, they already have the permissions needed to find the relocated file or inject code into your site to steal the database constants anyway.
Furthermore, because WordPress constants like DB_PASSWORD are global, a poorly written plugin or theme with a vulnerability (like a Local File Inclusion or Remote Code Execution bug) can still expose these values, even if the file is outside the web root. For example, an attacker could inject a script that simply runs:
var_dump( DB_NAME, DB_USER, DB_PASSWORD );
Wrapping Up
While moving wp-config.php is not a "silver bullet" that will stop a dedicated hacker who has already breached your server, it is a valuable layer in a "defense in depth" strategy. It specifically protects you against server misconfigurations and accidental plain-text exposure.
Key Takeaways: - Native Support: WordPress natively looks one directory above the root for the config file. - Prevent Exposure: It stops database credentials from being downloaded if PHP fails. - Permissions Matter: Always use strict file permissions (400 or 440) regardless of the file's location. - Holistic Security: Moving the file is not a substitute for keeping plugins updated and using strong passwords.
