Password in wp-config. Dangerous?

I don’t know a lot of WordPress yet, and I’m just wondering:

Before installation you have to fill in the correct data in wp-config-sample.php but this also includes the database password. Isn’t that dangerous? I mean, can some one explain how this is protected from just reading the file and thus getting the password of your DB?


Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

The “Hardening WordPress” page of the Codex contains a section on “Securing wp-config.php”. It includes changing the permissions to 440 or 400. You can also move the wp-config file one directory up from the root if your server configuration allows for that.

Of course there is some danger to having a file with the password like this if someone gets access to your server, but, honestly, at that point they already are in your server.

Finally, you don’t have much of a choice. I’ve never seen an alternate means of configuring WordPress. You can lock it down as much as you can, but this is how WordPress is built, and if it were a serious security threat, they wouldn’t do it that way.

Method 2

To make a case for keeping your config file one level up from the web root (as mrwweb suggested): a few months ago, an automatic update on a production server of ours killed php but left apache running. So everyone coming to the homepage was being offered index.php as a download. In theory, anybody who knew it was a WordPress site could have requested wp-config.php, and gotten it (had it been in the web root). Of course, they’d only be able to use those DB credentials if we allowed remote MySQL connections–but still, not cool. I realize this is a fringe case, but it’s so easy to keep your config out of sight, why not do it?

Method 3

Unless someone has access via FTP, you don’t need to worry about this. PHP is rendered on the server before it hit’s the users browser.

Method 4

Here’s another tip: protect wp-config.php (and any other sensitive files) with .htaccess

Add the following to an .htaccess file in your site’s directory where all other WordPress files are located:

<Files wp-config.php>
order allow,deny
deny from all

from How to harden your WordPress installation

Method 5

If somebody has access to read the contents of your Php files, you’ve already been hacked.

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments