How to protect wp-config.php via .htaccess file

WordPress is one of most popular bloging and CMS systems in the world. While there is a huge amount of tutorials how to easy install this system, there is a raging gap of how to  secure your WordPress isntallation. WordPress still have some potential vulnerabilities that are left unattended and because of that we have to pay attention and be sure that we close all possible back-doors to our website.

There is a lot of things that we can do  in order to secure WordPress installation and in this tutorial we will cover just one method. We will secure wp-config.php via .htaccess file.

What is wp-config.php

Wp-config.php is a most crucial file in a WordPress system as it contains very sensitive informations about your WordPress installation, like database name, database credentials and other crucial sensitive informations for proper functioning of CMS. Can you imagine what will happens if there is an unathorized access to this file? Because of this we have to do everything to deny access to anybody but WordPress system to thi file.

What is .htaccess

An .htaccess is an optional Apache configuration file that can reside in every folder of your website. For WordPress you can find it in “Public_html” folder or in a folder where you install WordPress.

You can store various settings in .htaccess file and you can aditionaly configure your web server with this method.

NOTE: Before start to edit .htaccess file be sure that you make safe copy and backup your origianal .htaccess file, as if you are not careful or don`t know what you are doing you can easily break your web site. SO, BACKUP FIRST !

Connect to your web server via FTP and in Public_html folder ( or in a diferent folder where you install WordPress ) find file .htaccess

WordPress Enable GZIP figure 1

NOTE: Remember to backup .htaccess first. Now it is good time to do it before we start editing.

Download .htaccess file to your PC and open it in a let`s say plain old Notepad ( you can use any text editor )

When you open the file it usualy looks like this if you did not change or add anything before.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

After this you can add following code:

## PROTECT WP-CONFIG ##
<files wp-config.php>
order allow,deny
deny from all
</files>
## PROTECT WP-CONFIG ##

Save your .htaccess file ( note that there is a DOT in front of the filename )

and now complete .htaccess file should look like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

## PROTECT WP-CONFIG ##
<files wp-config.php>
order allow,deny
deny from all
</files>
## PROTECT WP-CONFIG ##

Now you can upload your new .htaccess back to you web site, in the same folder.
Be sure that you check your web site after uploading and be sure that everything works fine!

That`s it, keep an eye on www.it-tutorials.net as we will continue with similar tutorials on how to secure your WordPress, and not just that. On our website you will find a lot of tips and tricks for any IT field !

 

Bojan Markovic

Bojan Markovic

IT professional with almost 20 years of experience, mostly integrator of IT services in TV & Radio broadcasting and web based projects. Expert in broadcasting playout systems, video streaming services and SEO.

Leave a Reply

Your email address will not be published. Required fields are marked *


6 + 3 =