White screen of death on admin pages after moving wp-config up two levels for security

I moved the wp-config to the hosting root and put it in a new directory and then I included it from the WordPress directory like so: include("../../my-fast-cars/fast-cars.php"); this gave me white screen of death on admin pages and some other pages, moving wp-config back to the WordPress directory immediately solved it. What could I be doing wrong?

I moved the wp-config to the hosting root and put it in a new directory and then I included it from the WordPress directory like so: include("../../my-fast-cars/fast-cars.php"); this gave me white screen of death on admin pages and some other pages, moving wp-config back to the WordPress directory immediately solved it. What could I be doing wrong?

• security
• wp-config

Share Improve this question asked Feb 14, 2019 at 16:53 BootUpBootUp 2511 silver badge55 bronze badges 5

• Also, there was no problem in moving it up just one level from the WordPress directory. – BootUp Commented Feb 14, 2019 at 16:56
• Most likely because the site was cached, and it wouldn't have continued to work. Why do you need to move it? – WebElaine Commented Feb 14, 2019 at 17:04
• For extra security. No cache was cleared. WordPress automatically looks for wp-config one level up. – BootUp Commented Feb 14, 2019 at 17:42
• I don't see a security need to do that. (And this is more of an opinion, than an answer.) But, for a pro/con discussion of this issue, see wordpress.stackexchange/questions/58391/… . – Rick Hellewell Commented Feb 14, 2019 at 17:54
• @BootUp WP only looks 1 level up, it doesn't look 2 levels up – Tom J Nowell ♦ Commented Feb 14, 2019 at 23:58

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 3

wp-config.php includes files, it's not just a config file, and WordPress isn't built to allow putting the file 2 levels up.

However, WordPress already supports loading wp-config.php from 1 level up.

With all of this in mind though, this is only really a protection if you're worried about mis-configuring your server. Unless PHP execution is turned off, which would be a major issue in of itself, wp-config.php won't leak any information.

this gave me white screen of death on admin pages and some other pages

A WSOD is a HTTP 500 error code, to see the real error message you have to look in the PHP error logs. It's the difference between a plane disappearing, and finding its flight recorder/black box.

wp-config needs to be accessible to the public.. I'm guessing that 2 levels up means above the public_html folder (cpanel) at the /home level. If you found a work around to allow access to it at that level you're potentially compromising security. Best to leave it at the same, or only one level up.