Moving wp-config.php from the WordPress Root

A common security practice is the moving of the wp-config.php WordPress database configuration file. Moving wp-config.php from the WordPress root up a directory seems to be the most common approach. However, there are arguments for and against doing this.

Let’s assume that you have a single installation of WordPress located in the following directory.

/home/WordPress/public_html

As of WordPress version 2.6, WordPress do support moving the database configuration file up a directory. This can be seen in the below code snippet.

if ( file_exists( ABSPATH . 'wp-config.php') ) {
    /** The config file resides in ABSPATH */
    require_once( ABSPATH . 'wp-config.php' );

} elseif ( @file_exists( dirname( ABSPATH ) . '/wp-config.php' ) && ! @file_exists( dirname( ABSPATH ) . '/wp-settings.php' ) ) {

    /** The config file resides one level above ABSPATH but is not part of another installation */
    require_once( dirname( ABSPATH ) . '/wp-config.php' );

} else {

Now if you were to follow the security measure of moving the wp-config.php up a directory, into /home/WordPress, you might come across a few problems.

Firstly, if your open_basedir PHP configuration directive is set to only include files from the /home/WordPress/public_html and a /tmp directory, you’ll probably get redirected to the WordPress installation page. PHP will reject any includes made from other directories, and the wp-config.php won’t be found by WordPress.

You might tweak the open_basedir configuration directive to include the directory above. This would mean that the wp-config.php file is included by WordPress and you won’t be redirected to the installation page.

However, allowing files from the /home/WordPress directory may expose server logs and backup files to potential attackers.

A solution to this would be to create another directory within /home/WordPress that contains the wp-config.php file, and only include that directory in the open_basedir configuration rather than the whole of /home/WordPress.

Your open_basedir value might then look like the below.

open_basedir = "/home/WordPress/public_html/;/home/WordPress/[wp_config_directory]/;/tmp/"

There is another argument to not moving wp-config.php. The file, whilst containing sensitive database, authentication key and salt details, doesn’t actually print out any information if you were to access the file in a browser. So should you accidentally expose the file to the public, they wouldn’t be able to obtain any information.

The counter argument to this would be that there are rare occasions where if there’s a bug in the server software used to host the WordPress website, or PHP is accidentally disabled, the details of the wp-config.php file would be very much exposed to the world. How often does this happen? It’s probably uncommon, but there have been documented scenarios of this occurring.

There are very good arguments for and against moving wp-config.php from the WordPress root. By weighing up the points described in this post and on the web, you’ll probably come to the decision that’s right for you.

Note: This article is based on WordPress version 4.9.4.