How to use your HT Access file to protect your WP config file and secure your WordPress website

Not all WordPress user probably know how important the wp-config.php (WP config) file is and maybe don’t know that it exist. And that people can access that file even if they’re not signed in to your WordPress website or into your hosting account and compromise your WordPress security. Once they edit your wp-config.php file you are in a heap of trouble.
So to check if your are exposing your wp-config file go to your website and add wp-config.php (

What will happen is, it will load a blank page. It’s actually loading the content in the background but WordPress is hiding it so if a smart hacker puts the right parameters at the end of this URL they can actually get into your WordPress site. I am not putting those parameters in here because I don’t want someone to use them and get the wrong ideas. But the point is they can mess around with your site if you don’t protect the wp-config file. I’m going to show you a quick and easy way to protect the file via your htAccess file so if you go into your hosting account.

Scroll down to where the file manager is this might look a little different on  whatever host you’re using then find the appropriate website and then go to the document root for that website. Check the show hidden files.

This can also be done via FTP, there will be a file there should be a file called  .htaccess (dot HTaccess)  if the file does not exist you can create one.

In the FTP you can right click in a blank area of the cpanel and click on create file.

Inside of the file manager click on new file on the top left and then we just give the
file a name .htaccess. 

That dot is very important so don’t forget that dot. If the file already
exists right click on it and click edit.

Paste in this little piece of code below

<files wp-config.php>
order allow,deny
deny from all

What it’s saying is for the file wp-config.php do the following in this order the first option is allow and the second option is deny and then deny from all. What it executes is the very last order which is deny from all . Save changes.

Go back to your browser and try again file we should get a different error message. Most likely its Error 403 forbidden. That will essentially locks a prospective hacker out of getting into htaccess file because now their access is forbidden. It’s not just loading a blank page that they could possibly get information from by adding parameters to the URL.  Now you just added a 1% to your WordPress website security.