Don’t Move wp-config.php Outside the Document Root

Most WordPress security guides recommend moving wp-config.php outside of the Apache document root in order to prevent the database password being exposed if the PHP engine fails to parse the file, or from being readable to infected scripts running in the domain.

Despite the conventional wisdom, though, this technique doesn’t solve those problems, and can actually create new problems if not done carefully. Moving it outside the document root requires expanding the open_basedir scope, which could allow attackers to access logs, backups and other sensitive data.

There’s nothing you can do to prevent malicious scripts from reading the file, because WordPress itself requires read access to it. You can block HTTP requests with Apache directives, though. That gives you the benefits that moving wp-config.php is supposed to, but without the nasty side-effects.

The WPSE thread linked to above now has a compelling argument in favor of moving wp-config. Read both sides and decide for yourself.

Leave a Reply

Your email address will not be published. Required fields are marked *