My wp-config.php got exposed. What should I do?
WordPress's configuration file holds your database credentials, secret keys and salts in plain text. If it was publicly reachable, assume everything inside it is compromised and act immediately.
Don't panic — but move fast.
wp-config.php contains everything needed to access your database and forge valid WordPress sessions. The good news: WordPress supports keeping this file one directory above the web root, so the fix is a single move — plus credential rotation.
// the 60-second version
- Move wp-config.php one directory above the web root immediately.
- Change your database password and update it in the config.
- Regenerate all WordPress secret keys and salts.
- Check access logs and WordPress admin for signs of unauthorised access.
01Understand what was exposed
wp-config.php is WordPress's entire secret store. A public copy gives an attacker:
- DB_HOST, DB_NAME, DB_USER, DB_PASSWORD — direct database access. They can read every post, comment, order, and user record — including hashed passwords.
- Authentication keys and salts — used to sign WordPress cookies. With these, an attacker can forge a valid admin session without needing a password.
- Table prefix — minor, but helps with SQL injection targeting.
Session forgery is the hidden danger. Even if your DB password is changed, existing WordPress sessions remain valid until you regenerate the secret keys. Do both — in that order.
02Move the file out of the web root
WordPress has built-in support for keeping wp-config.php one level above the public directory. Simply move it:
# If your site is at /var/www/html/
mv /var/www/html/wp-config.php /var/www/wp-config.php
WordPress will automatically find it there — no code change needed. Verify your site still loads, then confirm the old path returns a 404.
03Change the database password
In your database management tool (phpMyAdmin, MySQL CLI, or your host's panel), change the password for the WordPress database user. Then update wp-config.php with the new value:
define( 'DB_PASSWORD', 'your-new-strong-password' );
04Regenerate WordPress secret keys and salts
WordPress uses eight secret keys/salts to sign authentication cookies. Regenerating them immediately invalidates all active sessions — including any the attacker may have forged.
Visit https://api.wordpress.org/secret-key/1.1/salt/ to generate a fresh set, then replace the corresponding block in wp-config.php.
Replacing the keys logs out every user, including yourself. Have your admin credentials ready before you do this.
05Check for signs of access
- Database logs — look for connections from unfamiliar IPs around and after the exposure window.
- WordPress admin — check Users for any new admin accounts, Plugins for unfamiliar plugins (a common backdoor), and Posts for injected content.
- Web server access logs — grep for requests to wp-config.php to see when it was accessed and from where.
- File modification times — run
find /var/www -newer /tmp/reference -name "*.php"to spot recently modified PHP files.
Was this guide useful?
These playbooks are free to read and share. If a heads-up ever saved you a bad week, you can say thanks — or jump into the other guides.