The wp-config.php file contains sensitive information, such as Database Information (database name, username, password, and host ), Authentication Keys, and table prefixes for DB tables. For this reason, it is the main target for hackers attempting to exploit vulnerabilities in your WordPress site. Protecting this file is essential for every WordPress administrator.
In a previous tip we examined how to keep your wp-config.php file secure by using correct file permissions.[link]
One other simple method to protect your configuration file is to move the file outside the public folder.
WordPress supports this by default. If your site lives in a folder named public html, you can place wp-config.php in the directory above it. WordPress will still find it, but visitors won’t be able to reach it through a browser.
WordPress is flexible about where this file lives, but only within certain boundaries. If you move it somewhere unexpected, you need to understand what WordPress can and cannot detect automatically.
Let’s break it down clearly.
WordPress only auto-detects one alternative location
By default, WordPress looks for wp-config.php in:
1. The root WordPress directory
2. One level above the root directory
That’s it. Those are the only two locations WordPress will search automatically.
If you move it anywhere else — even if it’s just one folder deeper — WordPress will not find it on its own.
What if you moved the configuration file somewhere else?
If you placed it in a different directory, you must manually tell WordPress where it is. You do this by creating a small “pointer” file in the original location.
Here’s how.
- Keep your real
wp-config.phpin the custom location/var/secure-config/wp-config.php - Create a new
wp-config.phpin the WordPress root
This file only needs one line:<?php require_once('/var/secure-config/wp-config.php');
Now WordPress will load the real file from wherever you placed it.
Important notes when using a custom location
- The path must be absolute. Relative paths often break depending on server configuration.
- The directory must be readable by PHP. If PHP cannot read the file, WordPress will fail silently.
- Avoid placing it inside public folders. For example, don’t put it inside:
/var/www/html/some-public-folder/. If the folder is web-accessible, you lose the security benefit. - Keep permissions strict. Even in a custom location, use:
chmod 400 wp-config.php
When you should NOT move it elsewhere
Avoid custom locations if:
• You’re on shared hosting
• You’re not comfortable editing server paths
• You don’t have SSH access
• You’re unsure how your host structures PHP execution
In these cases, the standard “one level up” move is safer and simpler.
Quick summary on moving config file in different directory
If you moved wp-config.php somewhere other than one level above WordPress WordPress will not find it automatically.
You must create a small loader file in the WordPress root. Use require_once() with an absolute path, keep permissions strict, and make sure the directory is not publicly accessible.
Conclusion
It’s crucial to keep configuration files outside the web root folder. WordPress supports placing one level up by default. But you have the option to place it somewhere else provided that you know what you are doing.
Securing your configuration files by implementing multiple security layers (like this) in your website’s architecture is a smart move that can protect your site from being hacked.
Although my blog doesn’t support comments, feel free to reply via email or X.