critical risk

How to Protect wp-config.php and Sensitive Files

wp-config.php holds your database credentials and secret keys — if it's readable, your whole site is compromised. Backups, .env files, and SQL dumps left in the web root are just as dangerous.

  1. 1

    Deny access to wp-config.php

    Block direct web requests to it in .htaccess:

    <Files wp-config.php>
      Require all denied
    </Files>
  2. 2

    Rotate your secret keys

    If the file may have been exposed, generate new keys from the WordPress salt generator and replace the AUTH_KEY/SALT block in wp-config.php — this logs out all sessions.

  3. 3

    Remove backups and dumps from the web root

    Delete or move any .zip, .sql, .bak, or .env files that are publicly accessible. Store backups outside the document root.

  4. 4

    Set correct file permissions

    wp-config.php should be 640 or 600 — never world-readable.

    chmod 640 wp-config.php

Is your site affected?

Run a free external scan — 36 checks, no login or plugin required.

Scan your site free

More fix guides