wp-config.php is located in the main directory of your WordPress installation and used by WordPress to access the database.

This file includes your user id , password, and database name unencrypted.

Even though it is a .php file, meaning no one should be able to see it’s content from the browser, it just doesn’t make sense to me to keep it in the main folder without doing anything about it.

A good solution would be to update your .htaccess to deny access to it.

The most common use of .htaccess in WordPress is setting custom permalink for better SEO optimization. However .htaccess could be more utilized to further minimize vulnerability of your site.

Here you can use the files directive to deny access to certain files. You can use this directive for any file on your website.

Just add the following to your .htaccess under the www directory:

# to protect wp-config.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>

Here “deny all” will deny everyone access to wp-config.php.

Another example to deny access to .htacces file itself:

# to protect the .htaccess file itself:
<Files .htaccess>
order deny,allow
deny from all
</Files>

To learn more about utilizing you .haccess for wordpress, check Josiah Cole’s post about having an almost perfect htaccess file for WordPress. He lists over 10 directives that you can add.