Step 1: wp-config.php is located in the main directory of your WordPress installation and used by WordPress to access the database.
Step 2: This file includes your user id , password, and database name unencrypted.
Step 3: Even though it is a .php file, meaning no one should be able to see it’s content from the browser, it just doesn’t make sense to me to keep it in the main folder without doing anything about it.
Step 4: The most common use of .htaccess in WordPress is setting custom permalink for better SEO optimization. However .htaccess could be more utilized to further minimize vulnerability of your site.
Step 5: A good solution would be to update your .htaccess to deny access to it. Here you can use the files directive to deny access to certain files. You can use this directive for any file on your website.
Step 6: Just add the following to your .htaccess under the www directory:
# to protect wp-config.php
deny from all
Here “deny all” will deny everyone access to wp-config.php.