Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]

Move wp-config.php to its new location somewhere above “public_html” and add a new “skeleton” wp-config.ph in the WordPress directory e.g.

<?php
include('/dir_above_public_html/priv-applecom/wp-config.php');
?>

The wp-config.php script is included by other WordPress files. So to include this from a non default location we can simply 1. move our “real” wp-config from the WordPress directory to where we want it located. 2. create a new wp-config in the WordPress directory that does its own includes of the “real” wp-config script.

The benefits of having this file above public_html/web-root are hotly debated. I am in the camp that wants to avoid having scripts with authentication keys, salts & DB “credentials” in a directory that might be accessed via HTTP(S).

There are no real benefits in moving wp-config to another accessible dir (this may be the case for “abccom” where you have moved it to a dir “public_html” which usually indicates it is yes “public”.

Related Posts:

  1. Is moving wp-config outside the web root really beneficial?
  2. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  3. Generate WordPress salt
  4. Garbage in beginning of wp-config.php – was this WP installation compromised?
  5. How does the “authentication unique keys and salts” feature work?
  6. Securing wp-config leads to sensitive information leak on wp-settings
  7. Is there any point setting the keys and salts in wp-config.php?
  8. What’s the point of forbidding access to wp-config.php?
  9. Where to store OAuth 2.0 client id and secret?
  10. Config file with no Keys..?
  11. White screen of death on admin pages after moving wp-config up two levels for security
  12. Storing FTP details in wp-config.php
  13. My Site keeps crashing due to the wp-confg file being deleted
  14. How to change location of wp-config.php to folder or 2 folders up?
  15. Adding Security Keys?
  16. Remove hacked code – out of ideas! [closed]
  17. Secret keys in SCM
  18. wp-config.php moved above root results in no plugin updates
  19. wp-config.php file and code injection
  20. Malware/Permission bug removal?
  21. Default installation permissions for wp-config.php
  22. Move data from wp-config to another file
  23. what is a auth_user_file.txt?
  24. How to view PHP on live site
  25. Hide the fact a site is using WordPress?
  26. Verifying that I have fully removed a WordPress hack?
  27. Best way to eliminate xmlrpc.php?
  28. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  29. Are Nonces Useless?
  30. What could a hacker do with my wp-config.php
  31. What is the difference between esc_html filter vs attribute_escape filter?
  32. Which KSES should be used and when?
  33. How do WordPress Nonces Work?
  34. How can I easily verify a core or plugin update has not broken anything?
  35. Disable comment windows for all existing posts (pages/blogposts)
  36. Stop wordpress automatically escaping $_POST data
  37. how can i embed wordpress backend in iframe
  38. Handling nonces for actions from guests to logged-in users
  39. Can I force a password change?
  40. How brute-forcer knows that the password is cracked for target username?
  41. What is pclzip.lib.php file that wordfence think it’s a malicious code
  42. Can someone (Support of my themeprovider) get access to my server If I send them my admin login?
  43. How to disable XML-RPC from Linux command-line in a total way?
  44. How to remove javascript malware in wordpress site [closed]
  45. Securing my WordPress Files and Directories
  46. Single sign-on: wp_authenticate_user vs wp_authenticate
  47. How to allow internal links using wp_kses filtration
  48. How does Cross Site Scripting (XSS) work exactly? [closed]
  49. vs WordPress Security
  50. esc_html__ security : what for in this example?
  51. Using HTACCESS for Secret Access
  52. wp-config.php being written by attacker
  53. Definitive wordpress directory ownership and permissions on linux
  54. XML-RPC errors they know my username?
  55. Is [admin / admin] acceptable for all local websites?
  56. Simple Online Payment for Event Registration [closed]
  57. What may be causing failure of auto-install features in WordPress (v3.0.3)?
  58. Client side HTTP parameter pollution (reflected)
  59. Local file inclusion critical security issue [closed]
  60. Malware script in database post table only? [closed]
  61. Best practices to assert current_user_can() with guests
  62. XMLRPC slow and weird websites/services
  63. Are there security risks in working directly in the themes folder that builds into a theme folder?
  64. Is it safe to hand over the admin rights?
  65. How to find exploited wordpress plugin [closed]
  66. How I can open back door for myself?
  67. Does meta-data need to be sanitized?
  68. How can I force a specific password?
  69. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  70. Who updates the wp-admin/core file?
  71. How to obfuscate wp-config.php or code
  72. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  73. How to prevent to direct access of my custom plugin folder/files
  74. Checking for origin of a xmlrpc request
  75. RESTRICT EDIT of PHP files?
  76. wp-content – permissions for files/folders created by apache
  77. How can I restrict access to specific parts of a page, not just the page itself?
  78. User generated content and security
  79. Are major WordPress updates mandatory for security?
  80. i moved wp-config.php outside of public html and this broke my website
  81. Monitor wordpress all external calls
  82. Securing WordPress running on Azure platform
  83. Verifying that I have fully removed a WordPress hack?
  84. Spam Registrations
  85. How can I have more confidence that WP plugins aren’t getting and storing user data?
  86. Standard Method for Securing a WordPress Site
  87. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  88. Any way to disable /wp-login.php redirecting to the site folder?
  89. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  90. Secure a WordPress website in 2019: one plugin or a combinations of them?
  91. What are the different types of firewall protections available for a WordPress website?
  92. Is this a WordPress security bug?
  93. Competitor is somehow accessing MetaData on a hidden WordPress site
  94. WordPress Hacks/Defacing [closed]
  95. Directory to store secure file
  96. How can I give someone server access to only duplicate and modify a site?
  97. WP-JSON: Cross Origin Resource Sharing Vulnerability?
  98. How can I implement ansible with per-host passwords, securely?
  99. Can you alter the default wordpress strong password requirements?
  100. how to sanitizing $_POST with the correct way?