Your wp-config.php file holds your database credentials and your secret keys. It should never be readable in a browser, and on a healthy server it is not. But editors and backup tools leave copies behind with names like wp-config.php.bak or wp-config.old, and those sometimes serve as plain text. I wrote this to catch anyone trying to load that file, or its common backup names, straight from the address bar.
What you get
- Returns a blank page if someone requests wp-config.php directly in a browser
- Covers the common backup filenames that editors and tools leave behind
- Runs at the PHP layer, so it works even where the server configuration does not block these files
Who it’s for
Anyone on shared or self-managed hosting where you are not certain the server already refuses these requests. If you run on WP Engine or a similar managed host, they block this at the server level before PHP loads — which is the better place to stop it. On those hosts this plugin is a redundant second check. Some people like the belt and the braces. That is a fair reason to keep it.
How to install
- Download the ZIP from GitHub.
- Go to Plugins, then Add New, then Upload Plugin.
- Choose the ZIP and click Install Now.
- Activate.
Status note
This is an archived plugin. Originally published on WordPress.org, now maintained on GitHub (opens in new tab) and reviewed for security. Still works on current WordPress. No new features planned.
File details
License: GPL-2.0-or-later
Tested with: WordPress 6.7 · PHP 8.1+
Format: .zip
Other downloads from this practice
- WP Remove Generator Meta Tag. Another step that gives attackers less to work with.
- Stop Pinging Yourself. Removes self-pingback noise.