Password in wp-config. Dangerous?

The question:

I don’t know a lot of WordPress yet, and I’m just wondering:

Before installation you have to fill in the correct data in wp-config-sample.php but this also includes the database password. Isn’t that dangerous? I mean, can some one explain how this is protected from just reading the file and thus getting the password of your DB?

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

The “Hardening WordPress” page of the Codex contains a section on “Securing wp-config.php”. It includes changing the permissions to 440 or 400. You can also move the wp-config file one directory up from the root if your server configuration allows for that.

Of course there is some danger to having a file with the password like this if someone gets access to your server, but, honestly, at that point they already are in your server.

Finally, you don’t have much of a choice. I’ve never seen an alternate means of configuring WordPress. You can lock it down as much as you can, but this is how WordPress is built, and if it were a serious security threat, they wouldn’t do it that way.

Method 2

To make a case for keeping your config file one level up from the web root (as mrwweb suggested): a few months ago, an automatic update on a production server of ours killed php but left apache running. So everyone coming to the homepage was being offered index.php as a download. In theory, anybody who knew it was a WordPress site could have requested wp-config.php, and gotten it (had it been in the web root). Of course, they’d only be able to use those DB credentials if we allowed remote MySQL connections–but still, not cool. I realize this is a fringe case, but it’s so easy to keep your config out of sight, why not do it?

Method 3

Unless someone has access via FTP, you don’t need to worry about this. PHP is rendered on the server before it hit’s the users browser.

Method 4

Here’s another tip: protect wp-config.php (and any other sensitive files) with .htaccess

Add the following to an .htaccess file in your site’s directory where all other WordPress files are located:

<Files wp-config.php>
order allow,deny
deny from all

from How to harden your WordPress installation

Method 5

If somebody has access to read the contents of your Php files, you’ve already been hacked.

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment