The wp-config.php file is the heart of a WordPress site. It stores database connection details, authentication keys, and other critical configuration. If an attacker gains access to this file, they get full control over the site and database. That is why protecting wp-config.php is a central element of WordPress security. For Sayt.uz customers, when WordPress is installed, this file is automatically configured to be protected.
What wp-config.php stores
The file contains critical data needed for WordPress to function. DB_NAME, DB_USER, DB_PASSWORD, DB_HOST are database connection parameters. AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, and other secret keys are used to encrypt cookies and sessions. $table_prefix is the database table prefix. WP_DEBUG and other configurations are also stored here. Each piece of data is valuable to an attacker because together they allow complete control over the site.
Blocking direct access via .htaccess
The first layer of protection is blocking direct browser access to the file. Add these rules to the .htaccess file in the WordPress folder:
<files wp-config.php>
order allow,deny
deny from all
</files>This rule completely denies HTTP requests to the wp-config.php file. Now nobody can type site.uz/wp-config.php in a browser and read the file. Similar rules exist for Nginx โ in the server configuration a deny all directive can be added inside a location block.
File permissions 600 or 400
The standard 644 permission is not sufficient for wp-config.php. For this file, 600 (read and write only for the owner) or even stricter 400 (read only for the owner) is recommended. Via SSH this can be done with: chmod 600 wp-config.php. Such restrictions prevent the file from being read by other hosting users or malicious scripts. WordPress works normally even with these strict permissions.
Moving the file above the root folder
A useful WordPress feature is that wp-config.php can be located outside the web root. If the standard location is /home/user/public_html/wp-config.php, it can be moved to /home/user/wp-config.php. In that case the file is completely inaccessible via browser. WordPress automatically finds wp-config.php in the folder above. This is a powerful protection method but does not work in all hosting environments โ Sayt.uz hosting fully supports it.
Updating secret keys
AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, NONCE_KEY, and the corresponding SALT values in wp-config.php are keys for encrypting WordPress cookies and sessions. If your site has never changed these keys or they remain at default values, there is a serious risk. Get new random keys from api.wordpress.org/secret-key/1.1/salt/ and copy them into the file. Updating periodically (once a year) is recommended.
Sayt.uz practice
On Sayt.uz hosting, during automatic WordPress installation, wp-config.php protection is configured fully. File permissions are set to 600, .htaccess blocking rules are added, and strong random secret keys are generated. In the WordPress Security section of the customer dashboard, the status of these settings can be checked and reconfigured if necessary. Our security system regularly checks the state of wp-config.php and notifies the customer if settings are broken.
Restricted permissions for DB_USER
Along with protecting wp-config.php, the database user permissions should also be restricted. For WordPress, a user with SELECT, INSERT, UPDATE, DELETE, and CREATE TABLE rights is sufficient. Dangerous permissions like GRANT, DROP DATABASE, SUPER should not be granted. Even if an attacker reads wp-config.php and uses the password, restricted permissions mean they can only work with the tables of this site, not read other databases.