I started digging a bit to see if there were any elegant solutions to this (some people had some decent hacks/options) but I found out that as of v2.6 that you can move your wp-config.php file up a level and WP should find it fine. That’s awesome! I’m surprised it took them that long to implement something like that – but better late than never and all that.

Upon discovering this news, I went through and moved all of my wp-config.php files up a level outside of the document root. I even modified some of the file structures on my server to better accommodate this change. I think the added security is worth it. The last thing I need is an open door for pwnage.

The only problem is for people that don’t install WP in their document root. If you install it deeper, then moving the wp-config.php up a level solves nothing. In those cases, users should definitely pay close attention to file permissions and consider other security measures – such as .htaccess edits to deny access to wp-config.php and modifying wp-config.php to include/require a file outside of your document root with your DB details in it.

You can never be too safe.