Security issues with WP sites

wordpress configuration file is located in the root.In the event that PHP stops functioning on webserver for any reason.we run the risk of this file being displayed in plaintext,which will give our password and database information to visitor.
you can safely move wp-config directory up out of root directory.this will stop if from accidentally served. WordPress has built-in functionality that automatic check parent directory if it cannot find a configuration file.

In this situations on certain hosts, is not option. An alternative on Apache web servers is to set your .htaccess to not serve up the wp-config file.
Add the following line to ur .htaccess file in the root directory.

<FilesMatch ^wp-config.php$>deny from all</FilesMatch>

Related Posts:

  1. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  2. Hack-Proof OR Security in WordPress — is it real?
  3. Some one is trying to hack my website, Need guidance [closed]
  4. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  5. Website show Google Ads when we have no Google Ads linked to our website
  6. WordPress disable direct access of files in WordPress installation path
  7. Being hacked. Is there a list of WordPress security holes I can check against?
  8. My WP site and password was hacked, what to do? [closed]
  9. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  10. I found this in a plugin. What does it do? is it dangerous?
  11. Disabled plugins are they security holes – rumor or reality?
  12. What could a hacker do with my wp-config.php
  13. How Can I Securely Implement a Password-less Login Feature?
  14. Security and .htaccess
  15. Are there procedures to prevent malicious plugin updates?
  16. Should we use plugins that aren’t available from the official WordPress site?
  17. How to check plugins for malicious code?
  18. How to properly secure my WordPress installation?
  19. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  20. Where should my plugin POST to?
  21. Security error WP 4.0 + WP phpBB Bridge [closed]
  22. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  23. Disabled plugins are security holes – rumor or reality?
  24. Should I use RIPS tool to test my themes and plugins?
  25. Prevent Brute Force Attack
  26. Upgrading WordPress 4.0 asks for FTP password
  27. How to prevent bot or someone to modify any file automatically?
  28. How Restrict access to admin dashboard by specific static ip?
  29. When is it useful to use wp_verify_nonce
  30. Protecting against malicious code in WordPress plugin updates
  31. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  32. How to expire all wordpress user passwords instantly?
  33. Weird problems after recovery from security breach
  34. How can we deal with unmaintained plugins with vulnerabilities?
  35. Escape when echoed
  36. Should you escape hardcoded URLs?
  37. Preventing BFA in WordPress without using a plugin
  38. How can I make uploaded images in the editor load with HTTPS?
  39. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  40. WordPress filter that hook after each action/filter hook
  41. How to delete Passwrd Protected posts cookies when a user logged out from the site
  42. The safest way to automate WordPress backups
  43. wp_create_nonce function doesn’t work inside a plugin?
  44. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  45. How to block plugin activations with no known user or coming from unknown IP address range?
  46. Nonce failing on form submission
  47. Check for security updates
  48. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  49. How can I safely hide the fact that my website runs on WordPress? [closed]
  50. Why can’t I access my Intranet LDAPS with NADI?
  51. Malicious File Upload [closed]
  52. Stop Plugin Enumeration [closed]
  53. My WordPress website was hacked [closed]
  54. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  55. Is wp-app.php or wp-apps.php needed for WordPress?
  56. Security and Must Use Plugins
  57. Is Timthumb still broken? What security measures should be taken?
  58. Prevent direct access to WordPress plugin assets?
  59. Is it safe to use admin-ajax.php in the frontend?
  60. How to protect WordPress from security scanner [closed]
  61. Specific way to allow WordPress users to view their current password? And edit it?
  62. How to prevent plugins from sniffing/stealing other plugins’ options?
  63. how to activate a plugin inside a theme
  64. malware undetectable by multiple scans
  65. Custom API plugin to execute 3rd party API to retrieve data
  66. How to deal with Slow HTTP POST (slowloris) vulnerability
  67. Running multiple security plugins
  68. how do I secure my WP website from hackers? [closed]
  69. Want to modify a Plugin – Tweetily – Can I make it tweet a Custom Field instead of Post Title?
  70. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  71. Is the Block Bad Queries Plugin Still Relevant?
  72. WP Insert Post If user refreshes override new post
  73. 404 errors when updating options in admin dashboard
  74. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  75. Hide plugins and theme from public
  76. WordPress search shows protected content
  77. Security of a WordPress Plugin
  78. Can I disable xml-rpc by setting it to false?
  79. Help to Create a Simple Plugin to make a post
  80. Content-Security-Policy implementation with WordPress W3Total Cache plugin installed
  81. prevent anonymous access to WordPress site (non-admin site)
  82. “Fire Secure” menu item
  83. Securing a plugin pop-up window
  84. https rewrite not working for All in one security Brute force > rename login url
  85. Redux framework somehow added to my site, can’t locate in plugins
  86. wp_verify_nonce fails always
  87. How can i see/log all requests coming from a registration form (not from the UI)?
  88. Site is continuously accessing by several IPs
  89. Validating values using Settings API?
  90. using .htaccess only for wordpress security no plugins
  91. Problem with permissions in wp-content/plugins
  92. How to resolve these findings from security audit
  93. How to avoid conflict between plugin and its edited version?
  94. Windows 10 Printer that Sends to WordPress [closed]
  95. How I can hide my wp folders from Inspect Element (Developer Tools)
  96. How to Find WordPress site has backdoor login Codes
  97. How to delete Password Protected posts cookies when a user logged out from the site
  98. WordPress website is redirecting on some different shopping page
  99. WordPress User Registration/ Sign Up -> Able to take Paid Certification Courses & keep track of Completed Certificates
  100. Block Root REST API Route using custom &/or iThemes