Move Username and Password Outside of WP Web Tree

WordPress, like many other CMS’s, stores MySQL username and password in a configuration file, in WP case, wp-config.php.

Although WP PHP code is interpreted at the server, the user name/password combination is unlikely to be shown in a web browser. But it really not wise to store the combination in a publicly accessible place. Should the server stop interpreting PHP for some reasons, the combination would be available in plain view and readable by the world.

This TIP will show how to move the username/password combination to a secure place outside of your web tree.

Precaution: This is a serious attempt and it may cause your web site stop working. You MUST know what you are doing and proceed at your own risk.

Let Assume:
Your site root is /home/yoursite.com/
Your web root is /home/yoursite.com/public_html

Create a folder outside your web root
Use SSH/Cpanel create a folder called /home/yoursite.com/securedata
(you can name it to whatever you like)

Create a php file using a text editor, such as wordpad or notepad.

Fill in your mysql information in the file

<?php
$db_user   = “db username”;   //database username here
$db_passwd = “db password”;  //database password here
$db_name   = “db name”;    //your database name here
$db_host   = “db host”; //usually localhost
?>

Save it as wp-auth.php and upload it to /home/yoursite.com/securedata

WARNING: Please make sure there is NO white space after ?> You might have a “blank page” or not able to log into your system, if there were a whitespace.

Now, we need to modify wp-config.php file

As always, back up wp-config.php file first, in case that something goes wrong, you can always replace the modified file with the original.

Add the following line in the top of wp-config.php file
include (“/home/yoursite.com/securedata/wp-auth.php”);

modify the following setting in wp-config.php file

// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define(‘DB_NAME’, $db_name);

/** MySQL database username */
define(‘DB_USER’, $db_user);

/** MySQL database password */
define(‘DB_PASSWORD’, $db_passwd);

/** MySQL hostname */
define(‘DB_HOST’, $db_host);

Make sure there are NO quotes around $db_user, $db_passwd, $db_name, $db_host.

Save the file and test. If your WordPress website continues to function, congratulations!