Wp-config.php file contains all of the confidential information which WordPress needs to access your database and encrypt cookies. It is therefore essential to properly protect this file.
Change WordPress key
WordPress encrypts information stored in your cookies through security keys stored in the wp-config.php file. These keys are very important and that is why you have to change.
For this you can either invent your own key or generate them randomly through the next tool.
Reassemble the wp-config.php
By default, the wp-config.php file is in the root of the WordPress installation. But know that it is possible to place at the top directory without changing anything else. This helps get out the root of the file from the web server and avoid attention if an attacker can read it.
It may seem you are useless, because by default, such a file is not readable and accessible only by PHP but if you mistakenly disable PHP, anyone can read the PHP files as if it was vulgar files text. You’ll understand your wp-config.php would then deliver the passwords to the database and the keys to cookies, which would be very bad news for you.
Another technique is to place this file on your server at the location of your choice (really anywhere, for example in the /var/www /conf/) and then create a new blank file wp-config.php at the root of WordPress (or higher level) and add a call to the original wp-config file like this:
if ( !defined(‘ABSPATH’) )
define(‘ABSPATH’, dirname(__FILE__) . ‘/’);
The code in wp-config.php will be out of reach of potential attackers.
Block access to wp-config.php
With this, it is very simple and fast to prevent anyone from accessing the wp-config.php file. To do this, edit (or create) the .htaccess file located in the root directory of WordPress and add the following lines:
deny from all
This will have the effect of prohibiting the reading of this file via Apache.
Change the access rights
Once all these modifications, you can change the permissions on wp-config and .htaccess files. What I recommend is to put 644 permissions to both files with the commands:
chmod 644 wp-config.php
chmod 644 .htaccess
644 means that the user has write access reading, and the group + the rest of the world has read access only.
If you have other tips about the wp-config.php file, I’ll be happy to read them.