According to the WordPress Codex, the config file is one of the most important files in your WordPress installation. This file is located in your WordPress root directory and contains important information such as database connection data (username, password, etc.) and various settings.
We can harden the security by somewhat by moving this important information carrier outside the root folder.
To move wp-config.php outside webroot folder is very simple and need to follow following 4 steps.
Step 1 : Download current wp-config.php file
As the first step, we need to download the current wp-config.php using FTP or cPanel and save it somewhere safe because this file is the heart of the WP site.
Step 2 : Create directory outside public_html folder
Now, we need to make a folder outside the /public_html folder where wp-config.php will be stored. You can change the name to anything and it is recommended too.
Note: You can create any level of nested folder as well. There is no restriction with that.
Step 3: Move wp-config.php
The next step is to move the downloaded wp-config.php file to the newly created “config’ folder. For moving the wp-config.php, you can use either FTP or cPanel or any file transfer method.
Step 4 : Include the moved wp-config.php
The final step is to include the moved wp-config.php from main wp-config.php.
Please open the main wp-config.php in editor and add the below code snippet then save it.
<?php include(‘/home/usr/config/wp-config.php’); //Make sure to replace the 'usr' with your server username
What we do in above four steps is simply creating the virtual shortcut file for wp-config.php instead of real file. So, even if someone does hack your wp-config.php file in your WP directory, all they’ll find is a file pointing to another file 😀