Super Secure WP-CONFIG.PHP – Make your WordPress more secure by Encrypting and Moving your wp-config.php file – Step by Step tutorial

Written on:May 17, 2012
Add One



The most important file of WordPress script is the ‘wp-config.php’.It includes your database credentials and other important details which, if compromised may result in compromised WordPress,user details and passwords including the Admin account.So it is one of the primary targets of the WordPress hackers.If they somehow manage to get that file it becomes very easy to hack up the total WordPress based website or blog.

Though the php files can not be viewed directly through browser request.On request the server executes the file and gives the result to the user.The file can only be viewed from the back end of the website Cpanel,FTP etc…

Still there are some cases which may compromise your ‘wp-config.php’ file to the potential hackers –

  • If somehow the PHP service is switched off on your hosting server.At that time the server would give raw file to the users on request regardless of user authentication.
  • If your hosting panel gets hacked or compromised
  • FTP account gets compromised
  • Shell attack on the server.

There are some easy steps top secure your ‘wp-config.php file and thus secure your wordpress better.This is not a fail proof procedure but it clearly adds a new level of security to your blog and reduces the chances of hacking.

Things You Need –

  • A working wordpress.It must be installed in the public_html directory and wordking directly on the url will not work for the wordpress which are installed under a folder within the public_html like url – http://www,
  • A hosting panel access over HTTP or FTP. (Cpanel used as example)

First or all, Open your default ‘wp-config.php’ file ( located in the public_html folder ) with Text editor. Copy the entire content excluding the “<?php and ?>” tags.

Now open to this site or any other “eval gzinflate base64 encoder” site and paste it .Hit ENCODE switch.Download the encoded file on your computer.


encoding process wordpress wpconfigfile-min


Now open the file with a text editor. There will be some gibberish code written in it, Don’t mind and carry on with the process.Keep the code open. Copy the gibberish code as shown in the picture. Copy only the part shown in red color in the picture (excluding the inverted commas).


encoding process wordpress wpconfigfile result-min


Open a New file with Notepad or any other text editor and paste the following code in that.

$secret = ‘encoded-hash‘;

Replace the encoded-hash part with the total gibberish from the previous file. Be careful with the codes. Any mistake such as an additional space or deleting something will result in errors.




Save this file named ‘secret.php’ ( without the quotes ).

Now open Another New file with Notepad or any other text editor and paste the following code –

include ‘/home/user/foldername/secret.php’;
eval(gzinflate(base64_decode( $secret )));

Replace the ‘user‘ with your hosting panel username (like cpanel username).Replace the ‘foldername’ with the any name you wish.If you change the foldername here with something else remember to do so with the next steps also where ever foldername is mentioned.




Save the file named ‘wp-config.php’ (  without the quotes).

Now login to your hosting panel.Go to public_html or www directory.If the wordpress is loaded in that folder then you must find the ‘wp-config.php’ file there.

Delete the file.( Save a back up copy of the default wp-config.php on your computer incase you need to edit or modify it in future )

Return to your root directory means path “/home/user/”.

Upload the ‘wp-config.php’ that you just created on your computer in that directory.Create another folder (example – foldername) in that same directory.

Go inside the newly created folder means “/home/user/foldername/”

Upload the secret.php file inside that newly created folder.

Thats it.Good job…

Now the ‘wp-config.php’ in not only encrypted but also inside your root directory which is more secure than the public_html folder.

File/Folder permission – 

foldername – 755
secret.php – 700
wp-config.php – 700

What if i need to edit or modify wp-config.php in future?

Take a copy of the backed up default wp-config.php and make what ever changes you want to make in that file.Now after that just copy the whole content of the edited file without the “<?php and ?>” tags and encode it with the previously mentioned process.Copy the new encoded hash and paste it in the sercet.php file replacing the old encoded hash.Thats it…

Happy blogging.Leave your feedbacks and comments in the comment section below…


Leave a Comment

Your email address will not be published. Required fields are marked *