Move the configuration files outside of public_html

One of the most important security measures in Joomla! is ensuring that certain PHP files in public_html containing executable code or confidential data are protected from direct Internet access.

There are various ways to protect such files, including modifying the htaccess file. Many users and developer groups strongly recommend NOT to keep vulnerable files and confidential data inside public_html. The following method seems to be the simplest and most elegant way to protect read-only files that for whatever reason must be stored in public_html. In this example, we protect configuration.php, perhaps the most confidential file of any Joomla! site.

You should follow these instructions only after your website is stable enough and doesn't requires often updates, especially to the configuration file, since after you apply the below you won't be able to edit your configuration from Joomla interface but only edit the configuration.php file directly. Despite this inconvinience you are strongly encouraged to protect your confidential files.

So how you do it.

1. Move configuration.php to a safe directory outside of public_html and rename it whatever you want. We use the name joomla.conf in this example.

2. Create a new configuration.php file containing only the following code:

<?php

require( dirname( __FILE__ ) . '/../joomla.conf' );

?>

Warning: Cannot modify header information - headers already sent 

by (output started at /home/xxxxx/public_html/configuration.php:2) 

in /home/xxxxx/public_html/index.php on line 250

Alternatively you can relocate the configuration file to another sub-folder inside the public directory and then secure this sub-folder from unauthorized access using .htaccess file.