- 1
Deny access to wp-config.php
Block direct web requests to it in .htaccess:
<Files wp-config.php> Require all denied </Files> - 2
Rotate your secret keys
If the file may have been exposed, generate new keys from the WordPress salt generator and replace the AUTH_KEY/SALT block in wp-config.php — this logs out all sessions.
- 3
Remove backups and dumps from the web root
Delete or move any .zip, .sql, .bak, or .env files that are publicly accessible. Store backups outside the document root.
- 4
Set correct file permissions
wp-config.php should be 640 or 600 — never world-readable.
chmod 640 wp-config.php
Is your site affected?
Run a free external scan — 36 checks, no login or plugin required.
More fix guides
Sanitize input, escape output, patch vulnerable plugins, and add a Content-Security-Policy.
Patch vulnerable plugins and use $wpdb->prepare() for every query with user input.
Block xmlrpc.php unless you need it — it enables brute-force amplification and pingback DDoS.
Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.