Disclosure: We’re reader-supported. When you buy through links on our site, we may earn an affiliate commission at no extra cost to you. For more information, see our Disclosure page. Thanks.
Contents [show]
Byte & 
Beak Talk Hosting #79: How to Secure wp-config and .htaccess for WordPress Hosting
Beak leaves them open. Byte locks down sensitive files.
Scene Opener:
Beak: “Byte, I was exploring my WordPress files and saw something called wp-config.php. I poked it a bit… now I can’t access my site. Also, I may have renamed .htaccess to .htaccess-BEAK-EDIT…”
Byte: “GASP You just exposed your database login credentials and broke your server routing logic… at the same time.”
Beak: “I’m securing my site with curiosity!”
Byte: “You’re securing it like a squirrel secures a power station. Let me teach you how to lock down wp-config.php and .htaccess before Google lists your database password in search results.”
What Are wp-config.php and .htaccess?
These two files are the vault and the gatekeeper of your WordPress website:
wp-config.phpholds your database credentials, secret keys, and site configuration..htaccesscontrols URL rewrites, access permissions, and server behavior (especially on Apache-based hosts).
If either file is exposed, hacked, or misconfigured, it’s like leaving your front door open with your bank PIN on a sticky note.
Why It Matters
Here’s why you must secure these files ASAP:
Protect Database Access
Your wp-config.php file contains the keys to your WordPress kingdom.
Prevent Code Injection
Poorly secured .htaccess files can allow malicious redirects, backdoors, or even remote code execution.
Stop Bots and Exploits
Securing these files can prevent automated scanners from probing your site’s structure or vulnerabilities.
Compliance and Trust
Keeping customer data secure is essential for GDPR, HIPAA, and just plain trustworthiness.
Byte’s Hosting Security Checklist
“Beak, before you rename anything, go through this checklist. No poking, just securing.”
1. 
Move wp-config.php One Level Above
Move wp-config.php out of your public_html root (if your host allows).
For example:/home/username/wp-config.php ← Safe/home/username/public_html/wp-config.php ← Risky
WordPress will still find it if moved one level above.
2. 
Block Web Access to Sensitive Files
In your .htaccess, add:
apacheCopyEdit<Files wp-config.php>
order allow,deny
deny from all
</Files>
Also block .htaccess itself:
apacheCopyEdit<Files .htaccess>
order allow,deny
deny from all
</Files>
This prevents hackers from downloading or reading these files directly.
3. 
Backups Before Changes
Beak: “What if I break it again?”
Byte: “Then we use a backup like responsible nerds.”
Use your host’s backup system or a plugin like UpdraftPlus. Make full backups before editing core files.
4. 
Secure with File Permissions
Change file permissions using cPanel, FTP, or SSH:
wp-config.php— 400 or 440.htaccess— 444
This ensures these files are readable by the server but not writable by others.
5. 
Test for Errors Immediately
Don’t wait for visitors to tell you your site’s broken. After each change:
- Refresh your homepage
- Try logging in
- Check pretty permalinks
- Test form submissions
Real-Life Example: The Curious Case of Beak’s Broken Redirects
Beak: “One time, I added a redirect to .htaccess like this…”
apacheCopyEditRedirect /old-page.html https://mynewsite.com/new-page/
“…but suddenly my site redirected everything to that new page! Even the admin login!”
Byte: “Classic unscoped redirect. That’s why you test in a staging environment first.”
Beak: “I did. I tested it… live.”
Hosting That Helps Secure Your WordPress Files
Many shared hosts don’t secure wp-config.php by default or let you move it. Byte recommends these security-first hosts:
Use Ultahost
Offers auto-secured configs and permissions locked out-of-the-box.
Try Unihost
SSH access, mod_security firewall, and easy .htaccess editor.
Use Verpex Hosting
Includes daily malware scans and hardened Apache config.
Byte’s Takeaways
“Let’s summarize for Beak’s brain…”
Move wp-config.php one level up (if supported) Block public access in .htaccess Use read-only permissions (400/444) Never test live — use staging Back up before you edit Don’t rename core files unless you’re Byte or Batman
Beak’s Final Hoot
“Byte, I now have .htaccess, .htaccess-secure, .htaccess-v2, and .htaccess-do-not-touch.”
“You’ve got a security system made of file name spaghetti.”
“But at least I didn’t rename wp-config.php to wp-confused.php this time!”
Next Up: Byte & Beak Talk Hosting #80: How to Set Up Google Analytics on Your Hosted Site
Beak wants to count visitors. Byte installs tracking the right way.
"Get Hosting Now & Receive Our *$47 Web Hosting Setup Guide (130+ Pages) FREE!*
Scene Opener – Hostel Room, CV Crisis Hour 