Your configuration file contains your database username and password, so it’s important to keep this file secure. If you are installing WordPress in your web root directory (such as public_html), you can move your wp-config.php file to the parent directory — one that isn’t readable from a browser — without changing any settings. WordPress will automatically recognize the file’s new location.
Find all the WordPress Hidden Gems in [link id=”2675″]Beginning WordPress 3[/link].
Andrew Nacin says
September 27, 2010 at 6:22 pmThis is a helpful tip, and I really enjoy this series.
Sometimes, some people ask why we don’t support it being two or more directories up, for installs in a subdirectory of
public_html. The reason is this isn’t actually designed for security (even though it can certainly be used for that), but rather for SVN externals. Ideally, you’d block access to the file via Apache for that extra security.
steph says
September 28, 2010 at 1:22 pmThank you! I really appreciate all your comments.
I hadn’t thought about SVN externals, but that makes perfect sense. I think Josiah Cole’s list of
.htaccessmodifications includes the line that secureswp-config.php, among many other useful things.
teamsiems says
September 28, 2010 at 8:10 amWhat about multiple WP installs in multiple sub-domains where main is …/public_html/ and subs are …/public_html/sub/ You can’t move the sub’s wp-config up one level and you can’t have multiple wp-config files sitting in root.
I think that’s where Andrew’s idea is required.
steph says
September 28, 2010 at 1:23 pmYes, in that case you’d have to use the
.htaccessmethod instead.
Shelley says
October 1, 2010 at 4:21 pmOf course if you’re going to do that you might as well activate the network with subdirectories and make life MUCH easier all the way around, yes?