Is moving wp-config outside the web root really beneficial?

Short answer: yes

The answer to this question is yes and to say otherwise is probably irresponsible.

Long answer: a real-world example

Allow me to provide a very real example, from my very real server, where moving wp-config.php outside the web root specifically prevented its contents from being captured.

The bug:

Take a look at this description of a bug in Plesk (fixed in 11.0.9 MU#27):

Plesk resets subdomain forwarding after syncing subscription with hosting plan (117199)

Sounds harmless, right?

Well, here’s what I did to trigger this bug:

  1. Set up a subdomain to redirect to another URL (e.g. site.staging.server.com to site-staging.ssl.server.com).
  2. Changed the subscription’s service plan (e.g. its PHP configuration).

When I did this, Plesk reset the subdomain to defaults: serving the contents of ~/httpdocs/, with no interpreters (e.g. PHP) active.

And I didn’t notice. For weeks.

The result:

  • With wp-config.php in the web root, a request to /wp-config.php would have downloaded the WordPress configuration file.
  • With wp-config.php outside the web root, a request to /wp-config.php downloaded a completely harmless file. The real wp-config.php file could not be downloaded.

Thus, it’s obvious that moving wp-config.php outside the web root can have bona fide security benefits in the real world.

How to move wp-config.php to any location on your server

WordPress will automatically look one directory above your WordPress installation for your wp-config.php file, so if that’s where you’ve moved it, you’re done!

But what if you’ve moved it somewhere else? Easy. Create a new wp-config.php in the WordPress directory with the following code:

<?php

/** Absolute path to the WordPress directory. */
if ( !defined('ABSPATH') )
    define('ABSPATH', dirname(__FILE__) . "https://wordpress.stackexchange.com/");

/** Location of your WordPress configuration. */
require_once(ABSPATH . '../phpdocs/wp-config.php');

(Be sure to change the above path to the actual path of your relocated wp-config.php file.)

If you run into a problem with open_basedir, just add the new path to the open_basedir directive in your PHP configuration:

open_basedir = "/var/www/vhosts/example.com/httpdocs/;/var/www/vhosts/example.com/phpdocs/;/tmp/"

That’s it!

Addressing arguments to the contrary

Every argument against moving wp-config.php outside the web root seems to hinge on false assumptions.

Argument 1: If PHP is disabled, they’re already in

The only way someone is going to see that contents of
[wp-config.php] is if they circumvent your servers PHP interpreter…
If that happens, you’re already in trouble: they have direct access to
your server.

FALSE: The scenario I describe above is the result of a misconfiguration, not an intrusion.

Argument 2: Accidentally disabling PHP is rare, and therefore insignificant

If an attacker has enough access to change the PHP handler, you’re
already screwed. Accidental changes are very rare in my experience,
and in that case it’d be easy to change the password.

FALSE: The scenario I describe above is the result of a bug in a common piece of server software, affecting a common server configuration. This is hardly “rare” (and besides, security means worrying about the rare scenario).

Changing the password after an intrusion hardly helps if sensitive information was picked up during the intrusion. Really, do we still think WordPress is only used for casual blogging, and that attackers are only interested in defacement? Let’s worry about protecting our server, not just restoring it after somebody gets in.

Argument 3: Denying access to wp-config.php is good enough

You can restrict access to the file via your virtual host config or
.htaccess – effectively limiting outside access to the file in the
same way that moving outside the document root would.

FALSE: Imagine your server defaults for a virtual host are: no PHP, no .htaccess, allow from all (hardly unusual in a production environment). If your configuration is somehow reset during a routine operation – like, say, a panel update – everything will revert to its default state, and you’re exposed.

If your security model fails when settings are accidentally reset to defaults, you probably need more security.

Why would anybody specifically recommend fewer layers of security? Expensive cars don’t just have locks; they also have alarms, immobilizers, and GPS trackers. If something’s worth protecting, do it right.

Argument 4: Unauthorized access to wp-config.php is no big deal

The database information is really the only sensitive stuff in
[wp-config.php].

FALSE: The authentication keys and salts can be used in any number of potential hijacking attacks.

Even if database credentials were the only thing in wp-config.php, you should be terrified of an attacker getting their hands on them.

Argument 5: Moving wp-config.php outside the web root actually makes a server less secure

You still have to let WordPress access [wp-config.php], so you need
to expand open_basedir to include the directory above the document
root.

FALSE: Assuming wp-config.php is in httpdocs/, just move it to ../phpdocs/, and set open_basedir to include only httpdocs/ and phpdocs/. For instance:

open_basedir = "/var/www/vhosts/example.com/httpdocs/;/var/www/vhosts/example.com/phpdocs/;/tmp/"

(Remember to always include /tmp/, or your user tmp/ directory, if you have one.)

Conclusion: configuration files should always always always be located outside the web root

If you care about security, you should move wp-config.php outside your web root.

Related Posts:

  1. Hide the fact a site is using WordPress?
  2. Best way to eliminate xmlrpc.php?
  3. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  4. Generate WordPress salt
  5. Prevent setup-config.php page from appearing when host blocks database
  6. Garbage in beginning of wp-config.php – was this WP installation compromised?
  7. WordPress Malware Problem help! [duplicate]
  8. How does the “authentication unique keys and salts” feature work?
  9. Securing wp-config leads to sensitive information leak on wp-settings
  10. Is there any point setting the keys and salts in wp-config.php?
  11. What’s the point of forbidding access to wp-config.php?
  12. Where to store OAuth 2.0 client id and secret?
  13. neccessary?
  14. Best practices to assert current_user_can() with guests
  15. Config file with no Keys..?
  16. White screen of death on admin pages after moving wp-config up two levels for security
  17. Storing FTP details in wp-config.php
  18. My Site keeps crashing due to the wp-confg file being deleted
  19. Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]
  20. How to change location of wp-config.php to folder or 2 folders up?
  21. Adding Security Keys?
  22. Remove hacked code – out of ideas! [closed]
  23. Secret keys in SCM
  24. WordPress Security tools
  25. wp-config.php moved above root results in no plugin updates
  26. wp-config.php file and code injection
  27. Malware/Permission bug removal?
  28. Default installation permissions for wp-config.php
  29. Move data from wp-config to another file
  30. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site? [closed]
  31. Why does the URL http://a/%%30%30 crash Google Chrome?
  32. When you use ‘badidea’ or ‘thisisunsafe’ to bypass a Chrome certificate/HSTS error, does it only apply for the current site?
  33. How to view PHP on live site
  34. Infected Files – what to do [closed]
  35. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  36. WordPress 4.7.1 REST API still exposing users
  37. Should I escape wordpress functions like the_title, the_excerpt, the_content
  38. When to use esc_html and when to use sanitize_text_field?
  39. Why does WordPress have more than one salt?
  40. What is the ideal setup to address security concerns?
  41. Will there be security updates for 3.1 once 3.2 is released?
  42. WordPress it’s cleaning a custom query_var to avoid sql injections?
  43. Tips for finding SPAM links injected into the_content
  44. Close a wordpress blog – keep site as it is but prevent hacks
  45. Is WordPress vulnerable to the httpoxy?
  46. wp.getUsersBlogs XMLRPC Brute Force Attack/Vulnerability
  47. WordPress and Security
  48. Is there a security risk giving someone temporary access to my blog’s code?
  49. Is /wp-login.php?redirect_to[] exploitable?
  50. How to properly sanitize/secure a WP Query coming from the front end
  51. brute force attack even though it is limited by IP
  52. How to move theme directory but not plugins/uploads out of WordPress root directory?
  53. How do I authenticate WP users from a chrome extension?
  54. Putting my site live
  55. How to use if condition to change $table_prefix in wp_config.php
  56. Registration Plugin – Recaptcha integration
  57. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  58. How to combat flooding admin-ajax.php?
  59. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  60. Changing Table Prefixes – once done, am I good to go going forward?
  61. How can I safely hide the fact that my website runs on WordPress? [closed]
  62. How can I display nickname instead username in links
  63. My WordPress Websites are always under attack
  64. Is there value in using a wp_nonce for POST requests?
  65. How to hide easy access to my website temporarily?
  66. Can I Remove xmlrpc.php completely?
  67. Are un-sanitized theme options more vulnerable to malicious scripts than the theme editor?
  68. Secure WordPress: Change admin
  69. Changing the default header name
  70. Is it safe to use a global wp nonce per user instead of a nonce per action?
  71. Wordfence detects change in wp-admin/includes/upgrade.php
  72. Any any insecure http:// URLs left in wordpress?
  73. Will there be security updates for WordPress 4.9.9
  74. Any known bugs that could cause disappearance of the wp_users table?
  75. On new server, site got hacked, permissions a bit strange? Please help
  76. 404/500 error on content images if Referer header is from another domain [closed]
  77. Restrict Access without Creating Users
  78. Switching between security plugins is a risk?
  79. How to obfuscate wp-config.php or code
  80. wordpress admin security
  81. Why do people use “admin” username by default? [closed]
  82. Are major WordPress updates mandatory for security?
  83. i moved wp-config.php outside of public html and this broke my website
  84. Is it safe to use the basic administration with reduced rights for private member space
  85. Verifying that I have fully removed a WordPress hack?
  86. Robots.txt file not updating
  87. How to have differents sites share the same tables of DB?
  88. How to Password Protect whole site except for some subdirectories
  89. wordpress security (only one part of the site)
  90. Folder Permissions + Security Concerns
  91. Could a user account with a stolen password compromised entire WP site?
  92. is this code properly secured
  93. Run a security scan on WordPress site that has .htaccess password [closed]
  94. How to get real password (before encrypt) when register a user?
  95. Our security auditor is an idiot. How do I give him the information he wants?
  96. I am under DDoS. What can I do?
  97. SSH keypair generation: RSA or DSA?
  98. How do I protect my company from my IT guy? [closed]
  99. Does changing default port number actually increase security? [closed]
  100. WordPress – tracking options

Leave a Comment