How To Move Your wp-config.php File to Secure Your WordPress Site

Moving your wp-config.php file is quick, easy and will help secure your site from hackers and botnets.

The wp-config.php file is very important as it contains the name of the WordPress database, the server it is located on and the admin username and password to access it.

Some common names for the HTML web folder are: public_html, webroot and root.

We will refer to is as the public_html folder in this post.

Usually, this is not the top-level folder that you have access to and if you open up a File Manager instance you will likely see lots more folders at the same level as public_html.

These top-level folders are all required by the various services that go together to make your web hosting package work, such as FTP or email.

Although you have access to your actual “home” or “root” folder through FTP or cPanel or Plesk’s File Manager, you can’t access anything in there from your website.

As far as the web server is concerned, the public_html folder is at the top-level for serving files to a web browser.

Moving the wp-config.php file

So, you can move the wp-config.php file into your root folder somewhere and keep it safely hidden away.

Your WordPress site’s most important file is the wp-config.php file which by default is found in the HTML web folder of your hosting plan account.

The file may also contain other important information such as FTP username and passwords as well as the SALT keys it uses to encrypt login cookies.

Keeping it safe and out of access is a good idea.

WordPress will automatically look for your wp-config.php file one folder above your public_html folder, so you can easily move it to your root folder without causing any issues.

If you would like to move it to another folder you have created in the root, you will have to add a little bit of additional code to tell WordPress where the file is.

You will only need to do this once.

For example, if you have created a folder called “wpsecret” in the top level root folder, and moved your wp-config.php file in there, you will have to do the following.

Create a new replacement wp-config.php file in your public_html (WordPress site) folder and add the following code:


/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');

/** Location of your WordPress configuration. */
require_once(ABSPATH . '../wpsecret/wp-config.php');

Replace “wpsecret” with the folder name you created.

Open_basedir Issue

If, after doing the above, you receive a PHP error about “open_basedir” you will have to get your hosting company to add your folder name to the PHP configuration file.

It’s unlikely that you will have access to the php.ini PHP configuration file, but if you do you can add the folder yourself, making note to add the full server pathname which you can get from the sidebar in cPanel or Plesk.

An example of the full path may be some thing like “/var/www/vhosts/wp-wingman.com/wpsecret”.

In the php.in file, find the open_basedir directive and append your new folder pathname to the line within the quotes using a semicolon as a separator.

Here’s an example:

open_basedir = "/var/www/vhosts/wp-wingman.com/httpdocs/;/var/www/vhosts/wp-wingman.com/wpsecret/;/tmp"

Once that’s done, WordPress will find the configuration file and start normally.

Your wp-config.php file is now safe from being accessed by normal web scripts.

Frequently Asked Questions

Q1: Denying access to wp-config.php is good enough

“I changed the file permissions on wp-config.php in the public_html folder to deny public read access so it’s completely safe right?”

A: Not “completely”.

Imagine the scenario where your hosting environment gets reset, say during an operating system update or WHM/cPanel update and your server defaults for a virtual host are: no PHP, no .htaccessallow from all.

Suddenly your wp-config.php file is accessible as a text document for anyone to read!


Configuration files should always always always be located outside the web root folder.

Having multiple levels of security built in to your web site’s architecture is a good thing to do.

This is just one item on a list of many that we perform on all our WordPress Site care customers.

Find out which WordPress site care packages are best for your business or contact us for more information.

Posted in


Wil is a dad, consultant, developer, conference organiser, speaker and business mentor. He co-organizes the WordPress Sydney meetup group and has been on the organising committee for WordCamp Sydney since 2014. He speaks at many special events and contributes to the WordPress open source project. His likes are chillies, craft beer and electrogravitics.
Scroll to Top