Disclosure: We’re reader-supported. When you buy through links on our site, we may earn an affiliate commission at no extra cost to you. For more information, see our Disclosure page. Thanks.
Contents
- 1 Byte & 🦉 Beak Talk Hosting #79: How to Secure wp-config and .htaccess for WordPress Hosting
- 1.1 🧠 What Are wp-config.php and .htaccess?
- 1.2 🚨 Why It Matters
- 1.3 🧰 Byte’s Hosting Security Checklist
- 1.4 💡 Real-Life Example: The Curious Case of Beak’s Broken Redirects
- 1.5 🚀 Hosting That Helps Secure Your WordPress Files
- 1.6 🔍 Byte’s Takeaways
- 1.7 🦉 Beak’s Final Hoot
- 1.8 ➡️ Next Up: Byte & 🦉 Beak Talk Hosting #80: How to Set Up Google Analytics on Your Hosted Site
Byte & 🦉 Beak Talk Hosting #79: How to Secure wp-config and .htaccess for WordPress Hosting
Beak leaves them open. Byte locks down sensitive files.
🎬 Scene Opener:
🦉 Beak: “Byte, I was exploring my WordPress files and saw something called wp-config.php. I poked it a bit… now I can’t access my site. Also, I may have renamed .htaccess to .htaccess-BEAK-EDIT…”
👨💻 Byte: “GASP You just exposed your database login credentials and broke your server routing logic… at the same time.”
🦉 Beak: “I’m securing my site with curiosity!”
👨💻 Byte: “You’re securing it like a squirrel secures a power station. Let me teach you how to lock down wp-config.php and .htaccess before Google lists your database password in search results.”
🧠 What Are wp-config.php and .htaccess?
These two files are the vault and the gatekeeper of your WordPress website:
wp-config.phpholds your database credentials, secret keys, and site configuration..htaccesscontrols URL rewrites, access permissions, and server behavior (especially on Apache-based hosts).
🔐 If either file is exposed, hacked, or misconfigured, it’s like leaving your front door open with your bank PIN on a sticky note.
🚨 Why It Matters
Here’s why you must secure these files ASAP:
✅ Protect Database Access
Your wp-config.php file contains the keys to your WordPress kingdom.
✅ Prevent Code Injection
Poorly secured .htaccess files can allow malicious redirects, backdoors, or even remote code execution.
✅ Stop Bots and Exploits
Securing these files can prevent automated scanners from probing your site’s structure or vulnerabilities.
✅ Compliance and Trust
Keeping customer data secure is essential for GDPR, HIPAA, and just plain trustworthiness.
🧰 Byte’s Hosting Security Checklist
👨💻 “Beak, before you rename anything, go through this checklist. No poking, just securing.”
1. 🗄️ Move wp-config.php One Level Above
✅ Move wp-config.php out of your public_html root (if your host allows).
For example:/home/username/wp-config.php ← Safe/home/username/public_html/wp-config.php ← Risky
WordPress will still find it if moved one level above.
2. 🧱 Block Web Access to Sensitive Files
In your .htaccess, add:
apacheCopyEdit<Files wp-config.php>
order allow,deny
deny from all
</Files>
Also block .htaccess itself:
apacheCopyEdit<Files .htaccess>
order allow,deny
deny from all
</Files>
🔒 This prevents hackers from downloading or reading these files directly.
3. 🔁 Backups Before Changes
🦉 Beak: “What if I break it again?”
👨💻 Byte: “Then we use a backup like responsible nerds.”
Use your host’s backup system or a plugin like UpdraftPlus. Make full backups before editing core files.
4. 🛡️ Secure with File Permissions
Change file permissions using cPanel, FTP, or SSH:
wp-config.php— 400 or 440.htaccess— 444
This ensures these files are readable by the server but not writable by others.
5. 🧪 Test for Errors Immediately
Don’t wait for visitors to tell you your site’s broken. After each change:
- Refresh your homepage
- Try logging in
- Check pretty permalinks
- Test form submissions
💡 Real-Life Example: The Curious Case of Beak’s Broken Redirects
🦉 Beak: “One time, I added a redirect to .htaccess like this…”
apacheCopyEditRedirect /old-page.html https://mynewsite.com/new-page/
🦉 “…but suddenly my site redirected everything to that new page! Even the admin login!”
👨💻 Byte: “Classic unscoped redirect. That’s why you test in a staging environment first.”
🦉 Beak: “I did. I tested it… live.”
🚀 Hosting That Helps Secure Your WordPress Files
🧩 Many shared hosts don’t secure wp-config.php by default or let you move it. Byte recommends these security-first hosts:
🔗 Use Ultahost
Offers auto-secured configs and permissions locked out-of-the-box.
🔗 Try Unihost
SSH access, mod_security firewall, and easy .htaccess editor.
🔗 Use Verpex Hosting
Includes daily malware scans and hardened Apache config.
🔍 Byte’s Takeaways
👨💻 “Let’s summarize for Beak’s brain…”
✅ Move wp-config.php one level up (if supported)
✅ Block public access in .htaccess
✅ Use read-only permissions (400/444)
✅ Never test live — use staging
✅ Back up before you edit
✅ Don’t rename core files unless you’re Byte or Batman
🦉 Beak’s Final Hoot
🦉 “Byte, I now have .htaccess, .htaccess-secure, .htaccess-v2, and .htaccess-do-not-touch.”
👨💻 “You’ve got a security system made of file name spaghetti.”
🦉 “But at least I didn’t rename wp-config.php to wp-confused.php this time!”
➡️ Next Up: Byte & 🦉 Beak Talk Hosting #80: How to Set Up Google Analytics on Your Hosted Site
Beak wants to count visitors. Byte installs tracking the right way.
