Skip to content

How to move WP Config file to secure your site? Is it beneficial?

  • by
  • 3 min read

The Wordpress platform powers hundreds of thousands of sites across the internet. It’s easy to use and gives the everyday user a drag-and-drop interface to build really powerful sites that can do anything from showing off a portfolio to running an entire e-commerce store. However, security has always been a bit of an issue. 

In this article, we’re talking about how you can move the wp-config.php file to any other folder to secure your site and whether or not doing so is actually beneficial. 

Also read: How to fix SSL_error_handshake_failure_alert?

How to move the wp-config.php file?

If your wp-config file is placed in the website’s root directory, a third party can access the file or at the very least, ping it by using adding “/wp-config.php” to the site URL. One of the simplest ways to avoid this is to move the file to a different directory. 

How to change theme in Wordpress? Candid.Technology

If you’ve moved the file one directly above your Wordpress installation, that is, inside a folder in the site’s root directly, you don’t need to worry about anything as Wordpress will automatically look for the file one directory above. However, if you want to move the file someplace else, you’re going to have to modify the default wp-config file to redirect to the actual file. 

You can do this by replacing all the code in the default wp-config file with the snippet given below. 


/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');

/** Location of your WordPress configuration. */
require_once(ABSPATH . '../phpdocs/wp-config.php');

Of course, make sure to replace the file path in the aforementioned snippet with the actual file path of your wp-config file. Once you’ve done that, you’re good to go regardless of where your configuration file is saved. 

Does moving wp-config to another directory matter?

The short answer is yes, it does. Moving the wp-config file to another directory makes it difficult for a threat actor or external party to locate the file and hence read its contents. Since the file contains your main Wordpress database credentials, you should be very careful with who gets to access the file. 

Even if the wp-config file is placed behind permissions, there’s a good chance that an update or any other routine maintenance operation can reset your configuration to its default values, potentially exposing the file. Moving the wp-config file to another directory altogether prevents this from happening. 

Also read: Animated GIF not working in WordPress: Quick Fix

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: