How to Make WordPress Somewhat Safer

Somebody asked me how to “make WordPress somewhat  safer”, well here is my answer. I’m keeping this short and to the point, m’kay?

Move wp-config.php

One of the things many people tell others to do when inquiring about “making WordPress safer” is to relocate wp-config.php, ideally above the document root – that’s to say, away from where it can be accessed via the web by Joe Schmoe and Jane Broad. That’s fine.

So move your wp-config.php to /home/yourusrname/wp-config.php

Before this move, it should have looked somewhat like:



And now:


Now, to make it even better we create a “dummy” wp-config.php at the old location, i.e:


Fill this file with this code:



if (eregi("wp-config.php", $_SERVER[‘PHP_SELF’])) {
header(‘HTTP/1.0 403 Forbidden’);
exit(‘k0nsl-nginx: Forbidden.’);

if ( !defined(‘ABSPATH’) )
define(‘ABSPATH’, dirname(__FILE__) . ‘/’);

require_once(ABSPATH . ‘../PATH/TO/wp-config.php’);


Make sure you get the paths right. The first line of code is perhaps unnecessary, but it basically tells people that direct access to your “dummy” wp-config.php isn’t allowed.

This is one step in making WordPress somewhat safer. If somebody has any tips to further improve this response, feel free to comment on it. 

One Comment

Add a Comment

Your email address will not be published. Required fields are marked *