Securing wp-config.php

There is a clear case for moving the file out of the public directory: see the following stackexchange thread

Just move wp-config.php one level up outside the public directory and wordpress will be able to look for it on its own automatically and you’re all set.

If you have installed several wordpress site in different subdomain, the option might not work for you. In that case, follow the instruction below taken directly from the aforementionned stackexchange thread:

How to move wp-config.php to any location on your server

WordPress will automatically look one directory above your WordPress installation for your wp-config.php file, so if that’s where you’ve moved it, you’re done!

But what if you’ve moved it somewhere else? Easy. Create a new wp-config.php in the WordPress directory with the following code:


/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . '/');

/** Location of your WordPress configuration. */
require_once(ABSPATH . '../phpdocs/wp-config.php');

(Be sure to change the above path to the actual path of your relocated wp-config.php file.)

If you run into a problem with open_basedir, just add the new path to the open_basedir directive in your PHP configuration:

open_basedir = "/var/www/vhosts/;/var/www/vhosts/;/tmp/"

That’s it!