How to Block Access to Sensitive WordPress Files Print

What Are Sensitive Files in WordPress?

WordPress stores essential configuration data and server instructions in a few key files, such as:

• wp-config.php – contains your database credentials and security keys.
• .htaccess – controls how your site behaves on the server.
• html or license.txt – gives away your WordPress version.
• .user.ini – used by some hosting environments for PHP settings.
• error_log or debug.log – reveals internal issues and file paths

If any of these files are accessible publicly, a hacker can use them to gather information about your site’s structure, software versions, or even credentials — and exploit that data to take over your website.

The Risks of Leaving Critical WordPress Files Unprotected

Even if you’re running the latest WordPress version, leaving these files exposed is like showing your website’s blueprint to anyone who asks.

For example:

• If a hacker accesses your wp-config.php, they can extract your database login information.
• If they see your readme.html, they instantly know what WordPress version you’re using, and can search for vulnerabilities specific to it.
• If error_log or .user.ini files are exposed, they might reveal file paths or plugin conflicts hackers can exploit.

These files don’t need to be accessed by the public, and that’s exactly why you should block them.

How to Block Sensitive File Access Using WordPress Manager

STEP 1: Log in to your cPanel.

There are three methods to log into your cPanel.

• Method 1: Log in to your cPanel directly.
• Method 2: Log in to your cPanel through your Customer Portal.

Through your Customer Portal;                          

• Log in to your Customer Portal.
• Click on "Log in to cPanel".

• Method 3: Log in using the details sent to your Email.

Through your Email;                              

• When you purchase a hosting plan, your cPanel login details (including username, password, and cPanel URL) are automatically sent to your registered email address. Simply check your inbox (or spam folder), locate the email, and use the provided credentials to access your cPanel.

STEP 2: Locate the Software section and click on Softaculous Apps Installer.

STEP 3: Click the box for Installations.

An alternative is to select the “All Installations” icon from the menu in the upper-right corner.

STEP 4: Click the WordPress icon next to the installation you want to manage.

STEP 5: In WordPress Manager, select the website you want to secure.

STEP 6: Scroll to the Security Measures section.

STEP 7: Checkmark the box for “Block access to sensitive files”, and click Apply.

Once applied, your server will prevent anyone from accessing key files like:

• wp-config.php
• .htaccess
• readme.html
• .user.ini
• error_log and similar files

This keeps your critical data and server behavior completely hidden from public view.

What Happens After You Apply This?

After enabling this setting:

• Your site continues to run normally.
• Visitors (and bots) attempting to access these files will be denied.
• Hackers can no longer detect your site’s structure, database details, or WordPress version.

Frequently Asked Questions (FAQs)

Q: Does this block access for me too?

No. These restrictions apply only to external/public access via the browser. You and your server processes still have full access internally.

Q: Will this affect SEO or frontend performance?

Not at all. These files are not meant to be crawled or displayed publicly, so blocking them has zero impact on search rankings or user experience.

Q: Can I undo this if needed?

Yes. You can revert the change at any time in WordPress Manager with a single click.

If you need help, kindly reach out to LyteHosting support.