How to Secure WordPress Configuration Files in private_html Folder

The wp-config.php file in WordPress is actually important as it’s one of the core files in its structure. This file contains alot of sensitive information about your WordPress Website. It includes your website database credentials, the authentication keys, and other important configuration settings.

If this file is not secure or publicly exposed due to any incident such as server misconfiguration or vulnerabilities, then it could make your website vulnerable and attackers can compromise it.

Now to keep it secure, you can easily move this file to the private_html folder/directory. The private_html folder is defined in this blog, along with how this method enhances security and how to relocate and refer to your configuration file.

What Is the private_html Folder?

All file storage involved in hosting environments like Cloudways divides into two major types of directories:

• public_html: Files stored here are visible to be seen over the web.public_html is a dowry for JavaScript, HTML and other web files to be seen by anyone.
• private_html: Files stored in private_html are not visible in web browsers. They are more secure but remain within their own directory which is set aside for them by the server.

Usually HTTPS-only environments, making it a great place to securely store configuration files that should never be accessed directly. This is why the private_html directory is often unused.

Why Secure wp-config.php?

Now wp-config.php, by default, is available in the root directory which is most commonly known as public_html folder. As per the directory structure, the placement of this config file makes it reachable through a browser if your server is ever misconfigured or corrupted. Now the question occurs: what is in the file? Here’s what this file contains:

• WordPress database connection details
• Authentication salts and keys
• Debug and environment settings

If we move it to any non-public directory, then it will block direct web access and this is what we need, having another layer of security for our WordPress installation.

How to Move wp-config.php to private_html (Step-by-Step)

In order to achieve this setup, for moving the wp-config.php from public_html to private_html, we have described the steps for better understanding.

Step 1: Connect to Your Server

Use SSH or an SFTP client to access your application directory. For Cloudways users, you can find these credentials under your application’s Access Details.

Using SSH/SFTP, your application path will look similar to the following shared path as it’s mostly the same for many hosting providers. For Cloudways users, it is the accurate application path on Cloudways Platform:

/home/master/applications/<dbname>/public_html

Replace <dbname> with your actual Cloudways application Database name. Here’s the sample for better clarity.

Step 2: Move the Configuration File

Now it’s time to move the file as you are already in the root directory of your application, public_html. You will need to execute the following command in your public_html directory:

💡Note: Please make sure that your path is correct and if you are cloudways user, then your database name should be modified as well before executing the command.

mv /home/master/applications/<dbname>/public_html/wp-config.php /home/master/applications/<dbname>/private_html/wp-config.php

This moves the config file out of the public folder and into a private location.

Step 3: Create an Include File

Since WordPress expects to find wp-config.php in the public_html directory, you need to create a new wp-config.php file to make it the include file that points to the new secure location of our website’s config. Now let’s create a new wp-config.php file inside the public_html folder and add the following line in it while making sure database name is updated in it:

<?php

include('/home/master/applications/<dbname>/private_html/wp-config.php');

This line tells WordPress to use the actual config file from the private directory. Once the line is added, please save and close the file.

Step 4: Set Correct File Permissions

As we proceed, it’s really important to make sure that the config file is readable only by the application and the server. Let’s run the following command in private_html using SSH terminal, making sure with correct database name:

chmod 640 /home/master/applications/<dbname>/private_html/wp-config.php

This sets the file to be readable and writable by the owner, readable by the group, and inaccessible to others.

Step 5: Test Your Site

Now you can visit your WordPress site in a browser. If it loads without issues, your setup is working correctly.

If you encounter errors like “Error establishing a database connection,” double-check:

• The file path in your include statement
• File permissions
• Whether the file was fully moved

Finally, your WordPress Configuration is now secure under the private_html directory.

Conclusion

Securing wp-config.php is easy and now-a-days essential for WordPress site’s security. By leveraging the private_html folder available on Cloudways, you make it significantly harder for attackers to access sensitive application data, even if there’s a web server vulnerability.

This approach does not require extra plugins setup or any third-party tools. Honestly it integrates well with most of the hosting environments. As a best practice, try to consider this action with regular website backups, maintaining firewalls, and application permissions review for a complete security check.

Salwa Mujtaba

Salwa Mujtaba is a Technical Content Writer at Cloudways. With a strong background in Computer Science and prior experience as a team lead in Cloudways Operations, she brings a deep understanding of the Cloudways Platform to her writing. Salwa creates content that simplifies complex concepts, making them accessible and engaging for readers. When she's not writing, you can find her enjoying good music, reading a book, or spending quality time with her family.

Get Connected on: Twitter Community Forum