File and Folder Access Check - Checking if configuration.php is outside of public html

There are several ways to protect such sensible files from public access, but most of them are not as feasible. A good way to protect your configuration.php file is to simply move it to a non-public folder. However, note that this isn't a simple copy and paste operation, certain modifications have to be made. Below we will provide step by step instructions on how to achieve this.

Step 1 : Move configuration.php to a safe directory outside of public_html.

Step 2: You will have to modify the /includes/defines.php and /administrator/includes/defines.php files, more precisely, this constant:


If, for example you wish to move the file up one level and into a folder named "test" the constant will look like this:


Step 3: Make sure the configuration.php is not writable at all, so that it can not be overridden by com_config.

Step 4: If you need to change configuration settings, do it manually in the relocated configuration.php.


Using this method, even if the web-server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file. Having into consideration the downside if not being able adjust the global settings it is still a good method of protecting against malicious attacks.