Hacker, Researcher and Author.

Securing The Wp-Config File To Prevent Your Wordpress Blog From Getting Hacked

If your blog has been hosted on wordpress then your blog is more vulnerable than other blogging platgorms, The reason is that by default the wordpress security is very low and can be compromised easily, Before writing this post I made a little search on the web related to "Wordpress Security" and really found some foolish tips out there which would really not help you in any means. So I decided to write a post own my own, There are lots of wordpress admins who use plugins such as login lockdown along with many other plugins to prevent brute force attacks on wordpress, The problem is that now a days a hacker will not use a bruteforce attack or dictionary attack for hacking a wordpress blog, because now a days almost every one atleast has a password of more than 8 characters, and even if some one has a weaker password too, the brute force attacks and Dictionary attacks will be automatically blocked by your webserver, As they have iDS and IPS configured to these kinds of requests automatically.

Phising attacks are also not very common with wordpress blogs and I have seen very rare cases in which wordpress users have fallen for phishing attacks, but almost every time a wordpress user will login into the dashboard by manually adding wp-admin to the end of the url, There are possibliles that wordpress users can be attacked by phishing attacks, but bloggers are already a bit tech savy and won't fall for these types of attacks, Alternatively if the hacker is smarter and can implement more advanced types of phishing attacks like desktop phishing ,tabnabbing or Dns Spoofing then there are chances that the wordpress user will fall for these attacks.

So How Do Hackers Hack Into Wordpress Blogs?

Most of the skilled Hackers will target your wp-config as it's in an unsecure place by default. Wp-config file is the most important file present on your wordpress blog. It holds very sensitive information such as including your database access, table prefix and Secret Key, So in order to protect your wordpress blog from getting hacked you would need to harden your wp-config file. Here is how a wp-config file looks inside, As you can see from looking into it that it contains very sensitive information.

Protecting Wp-Config File From .htacess

The first step you should take write away is to add the following code to your .htacess file, This is the first step you should take in hardening your wordpress.
# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
Changing The Permission

Last week I came across a wordpress blog, whose permission for wp-config file was set to readable, All the hacker needed to do is to upload a mysql database and use those to access victim's wordpress blog. So the bottom line is that the permission should not be set to readable, it should be set to something like "400".

Security Keys

Security keys were added in wordpress 2.6 to ensure better encryption of information stored in the user's cookies, A secret key also includes makes it harder to crack your passwords, If some how the hacker gets hold of your wordpress hash, You can get your secret keys from here, All you need to do is to add these secret keys to your wp-config file.

Moving Your Wp-Config File

By default Wp-Config is located in the root folder, Wordpress themselves recommend users to move their wp-config file to some other place such as outside the root folder, This will prevent the Symlink bypassing attack to the some extent.

Moving To VPS Or Dedicated Host To Prevent Symlink Bypassing Attack

If your wordpress blog is on a shared host then it will be alot more vulnerable to symlink bypassing attack than on VPS or dedicated, If your blog is quite established and you can afford to move to VPS or dedicated hosting, Then I would recommend to move it right away.

I hope you have liked my post on Wordpress security, If you are looking for some more ways to protect your wordpress blog, I would recommend you reading the following post:


  1. Hi Rafay nice post,plz tell about hw to change templates of the wordpress.Thanks

  2. hi rafay!! its nice to know about you. most of the things i already know. i liked ur other posts more but m writing a comment here, i knw u will be notiied by email whenevr i giv a comment. m nothing nd neither wud like to introduce myself here, will u mail me at sukhoi2010jet@gmail.com.
    expecting ur mail in my inbox. there i will discuss.

  3. hi Rafay.
    I already change my blog wp-config file permission with 400, than i also change my cpanel password, but after i made change then i can not open/browse my blog. i try to ping to my blog url, the ping result is Request time out. I don't really know what happen with my blog. my blog url is www . palagga . org.
    Thanks Rafay

  4. This comment has been removed by the author.


© 2016 All Rights Reserved by RHA Info Sec. Top

Contact Form


Email *

Message *

Powered by Blogger.