If you have no choice but to keep it in the web root, use .htaccess to deny access:
: Uses wp-config.php to manage database connections and security "salts." config.php
// Database $config['db']['host'] = ($env === 'development') ? 'localhost' : 'prod-db-server.com'; $config['db']['user'] = 'app_user'; $config['db']['pass'] = 'super-secret-password'; $config['db']['name'] = 'my_application'; If you have no choice but to keep it in the web root, use
files) or check the server hostname to load different configuration sets. Stack Overflow 2. Advanced Global Variables $config['db']['user'] = 'app_user'
store config.php inside the public web root. Place it above the web root.