Skip to main content

Move wp-config.php to upper folder

** Proved and tested move from /var/www/html to /var/www**

i prefer to put out wp-config.php in html directory and move it to root directory. is it possbile?

No, that is not possible by default, and it is not a recommended security practice.

WordPress is specifically programmed to look for wp-config.php in only two places:

  1. In the WordPress installation directory itself (e.g., /var/www/html/).
  2. In the directory one level above the installation directory (e.g., /var/www/).

Moving the file to the filesystem's root directory (/) is several levels up, so WordPress will not be able to find it automatically. This will cause your site to fail and trigger the WordPress installation screen.

Why Moving to the Root Directory (/) is Not a Good Idea

Even if you could make it work with custom code, placing application files in the filesystem's root is a bad practice for two main reasons:

  1. System Organization: The root directory (/) is reserved for the core directories of the Linux operating system (/bin, /etc, /home, etc.). Adding application files here clutters the system and goes against standard system administration practices.
  2. Permissions Issues: The root directory has highly restrictive permissions. Your web server user (e.g., www-data) would not have permission to read a file in /, and giving it that permission would be a significant security risk.

The best practice remains the one WordPress is designed for: move wp-config.php one level above your public web directory.

  • If your site is in: /var/www/html/
  • Move the file to: /var/www/

This simple action achieves the primary security goal of moving the file outside the webroot, making it inaccessible to browsers, while still allowing WordPress to find and read it without any issues.

ok explain the me if i have to move /var/www any script php code is needed?

No, you do not need any extra PHP code or script.

Moving the wp-config.php file from /var/www/html to /var/www works automatically because this is a built-in feature of WordPress.

How It Works

WordPress is programmed to automatically look for the wp-config.php file in two locations, in this specific order:

  1. The WordPress root directory: It first checks the folder where WordPress is installed (e.g., /var/www/html).
  2. The parent directory: If it doesn't find the file there, it automatically checks one level up (e.g., /var/www).

Because you are moving the file to the immediate parent directory, WordPress will find it without any extra configuration.

The Correct Steps (No Code Needed)

Just ensure you have the correct ownership and permissions after you move the file.

  1. **Move the File:**Bash

    sudo mv /var/www/html/wp-config.php /var/www/wp-config.php

  2. Set Correct Ownership: The web server user (www-data on Debian/Ubuntu or apache on CentOS/RHEL) must own the file to read it.Bash

    sudo chown www-data:www-data /var/www/wp-config.php/co

  3. Set Secure Permissions: The 400 permission is still the best choice, allowing only the owner to read the file.Bash

    sudo chmod 400 /var/www/wp-config.php

That's it. Your website will load perfectly without needing any changes to your code. You have successfully increased your site's security by moving the file out of the webroot.

yes it worked perfectly. note that if i create sub folder wp will note detected right?

That's correct, you are exactly right.

WordPress will not detect wp-config.php if you move it into a subfolder.

How WordPress Finds the File

WordPress has a very specific and limited search path. It only looks in two places:

  1. The current directory (e.g., /var/www/html/).
  2. The immediate parent directory (e.g., /var/www/).

It does not search recursively into any subfolders. So, if you were to move the file to /var/www/html/config/ or /var/www/secure/, WordPress would fail to find it, and you would see the installation screen again.

Think of it like looking for your wallet. You'll check your pocket and the table beside you, but you won't automatically start opening every drawer in the room. WordPress's search is just as simple.

Sticking with the parent directory (/var/www/) is the correct and simplest way to secure the file.

it move from /home/zTzZiInSL2l3HSf1/kost-jogja-eksklusif/public_html/ to /home/zTzZiInSL2l3HSf1/kost-jogja-eksklusif/. can i move it up again? until home?

Screenshots removed in this version because local image assets are not present in the docs repository.

No, you cannot move it up again to the /home directory and have it work automatically.

Based on your screenshots, you have already moved it to the perfect location. WordPress will only look one level up, and you've done exactly that.

Here's the Breakdown

  • Your WordPress Installation: /.../public_html/
  • Where WordPress Looks:
    1. It first checks inside /.../public_html/.
    2. If not found, it checks one level up in /.../kost-jogja-eksklusif/.
  • Your Current Location: You correctly placed it in /.../kost-jogja-eksklusif/.

If you move it any higher, like to /home/zTzZiInSL2l3HSf1/, WordPress will not find it, and your site will show the installation screen.

You have already achieved the main security goal: the file is outside the public_html folder and is not accessible from the web. There is no additional security benefit to moving it further up the directory tree.