Denying access to wp-config.php
In Chapter 5 we looked at how to protect web directories, introducing the valuable htaccess tool to secure wp-admin. We'll use that file again now to add impermeability to the kingpin core file, wp-config.php.
Note
htaccess must be hidden. Achieve this by appending its name with a dot. It will look like .htaccess, always.
The
htaccess file permissions are set, ideally, to 640 or, at least, to 644.
Create or open up an htaccess file in your WordPress root directory, adding this code:
<Files wp-config.php> Order deny,allow Deny from all </Files>
What that does is to pinpoint the wp-config.php file, saying that surfers can't look at this file under any circumstances, whatsoever, howsoever, irrespective, or ever. Note the word surfers. If someone somehow cracks your server, all bets are off. Nonetheless, this is important, not least of all if you accidentally promote the file's permissions.
