By default, the WordPress configuration file is located in the root of your website. In the event that PHP stops functioning on your web server for any reason, you run the risk of this file being displayed in plaintext, which will give up your password and database information to visitors.
So, where do you move your wp-config.php?
You can safely move the
wp-config.php file up out of the root directory. This will stop it from ever being accidentally served. WordPress has built-in functionality that will automatically check the parent directory if it cannot find a configuration file.
In some situations on certain hosts, this is not an option. An alternative on Apache web servers is to set your
.htaccess file is the root directory:
<FileMatch ^wp-config.php$>deny from all</FileMatch>