How to Hide wp-config on a WordPress Site

The WordPress wp-config.php file contains very sensitive information about your WordPress installation. To keep this information safe, we will teach you how to hide it.

Updated: 14 Dec, 21 by linda Y 4 Min

List of content you will read in this article:

The majority of the internet’s sites are hosted using WordPress, which is already quite an efficient and secure platform, however, there are still some steps that are recommended for users to take to further improve a WordPress site’s security. Today’s spotlight is shining on the wp-config.php file and the sensitive data stored in it. We will explain what this file is for and how to hide it from your main installation folder. Let’s dive straight into it.


While building and managing a WordPress site might be easy for the end-user thanks to its intuitive menus, there is a lot of code being written into its core files under the hood. One such core WordPress file is wp-config.php. It contains information about the database of the site, including host, name, username, and password. This information is used to allow the website to communicate with the database, making storage and retrieval of data possible.

Seeing that it contains all these sensitive details about the site’s database; it can be hypothesized that having a malicious actor get access to this file is a recipe for disaster, especially if you have an online service that stores users’ confidential data in its database. Here’s an example of information can be found in the wp-config.php file:

// ** MySQL settings - You can get this info from your web host ** //

/** The name of the database for WordPress */

define('DB_NAME', ‘website_database’);

/** MySQL database username */

define('DB_USER', ‘admin’);

/** MySQL database password */

define('DB_PASSWORD', ‘DBadmin_password’);

/** MySQL hostname */

define('DB_HOST', 'localhost');

As you can see, this type of information is seriously not something you want others to have access to. Therefore, it is a good cybersecurity practice to hide the wp-config.php file.


Protecting the WordPress wp-config.php file is another way to beef up your WordPress security. The WordPress wp-config.php file contains very sensitive information about your WordPress installation, such as the WordPress security keys and the WordPress database connection details. You certainly do not want the content of this file to fall into the wrong hands, so WordPress wp-config.php security is definitely something you should take seriously.


Typically wp-config.php is placed in the core WP folder along with other standard files like wp-settings.php, wp-login.php etc. WordPress also supports a more secure option, wherein the wp-config.php can reside on the folder outside your WordPress installation. For example, if your WordPress is installed in the folder `/public_html/` folder, instead of having the file being present as `/public_html/wp-config.php`, you should store it as /wp-config.php. WordPress will intelligently pick up the configuration from this instead.

 Put simply, WordPress allows you to move the wp-config.php file out of the public_html directory and still work as intended.


In the light of recent data breaches caused by weak cybersecurity practices, it is now more important than ever to implement proper IT security measures. If you are hosting a WordPress site, there are certain steps that you need to take to improve its security, especially if you are storing sensitive information about its users. Today we explained what is wp-config.php file, the importance of hiding it, as well as how to do so. If you have any questions or suggestions, please leave them in the comment section below.

linda Y

linda Y

My name is Linda, I have Master degree in Information Technology Engineering. I have some experiences in working with Windows and Linux VPS and I have been working for 2 years on Virtualization and Hosting.