We will explain the contents of wp-config.php, the danger of this file being leaked, and how to protect it.


What is wp-config.php and what happens if wp-config.php is viewed by outside hackers?

wp-config.php is a file that contains settings related to WordPress.
The most important information contained in this file is the database connection settings.

Database connection URL
Database user name
Database password

What happens if database connection information is compromised?

If the database connection information is compromised, it is possible to connect to the database used by WordPress.
However, many servers do not allow external connections to the database.
(You can only connect via a program on that server.)

Therefore, even if the database connection information in wp-config.php is compromised, if database connection software such as PHPMYADMIN is not on the server, it is difficult for malicious activity to take place.

However, if in some way the hacker was able to obtain the database data,
IDs and e-mail addresses of users who use WordPress, including the administrator user, would be exposed.
However, the passwords of these users are encrypted, so even if the database information is compromised, they will not be able to log into WordPress.

To hijack WordPress administrator privileges and conduct malicious or hacking activities, it is necessary to further rewrite the database by rewriting user passwords, creating rogue administrator users, etc.

Protecting wp-config.php

A relatively simple and common way to protect wp-config.php is to write a setting to the HTACCES file in the folder where WordPress is installed, where the server configuration information is written, that makes wp-config.php inaccessible from the outside.

<FilesMatch "wp-config\.php">
Require all denied
</FilesMatch">

It is also important to set the write permission of wp-config.php to the appropriate setting.
Connect to the server with FTP software and set the permissions to 600 or 400.

Please note that if you set the permission to 400, you will not be able to write HTACCESS files, which may cause errors in writing plug-ins and server settings.

It is also important for security that the AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY fields in wp-config.php are always set to long random strings.

Reference
What is the unique authentication key in wordpress wp-config.php used for and what is it used for?

You can also protect wp-config.php with easy security settings.

Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].