This tip explains how to move your configuration.php file outside of your webroot as well as making it unwritable by the server. That makes it nearly impossible for someone to corrupt or gain access to the information in the file.

The first step is to move the file. If you use a host with cPanel, then your webroot is /home/USERNAME/public_html, where USERNAME is your cPanel username. (The tip is easy to adapt to other hosting environments too, ask us, if you don't know, how!) Joomla can access files located at /home/USERNAME, but those files cannot be directly accessed from the Internet. Login to your favorite FTP program and download your configuration.php from /home/USERNAME/public_html/configuration.php . Rename it to 'site.conf' then upload it to /home/USERNAME/site.conf.

Now that we've uploaded it to the new location we need to edit the original configuration.php file. Open it in your favorite text editor and replace the contents of the file with the following:

		 require( '/home/USERNAME/site.conf' ); ?>
	

Make sure to replace USERNAME with your cPanel username. Then upload the new file to /home/USERNAME/public_html/configuration.php. At this point your site should still function normally.

Next, we need to make the file unwritable by the server. Most FTP programs allow you to do this. Right-click on the /home/USERNAME/site.conf file and select the option to edit permissions (normally 'Permissions' or 'Info') and lets the server read the file without any problems, but it will not be able to edit the file.

If you ever need to edit the file you will need to change the permissions back to 644 before making your changes.

In Joomla 1.5 and newer you can do other things to archive the same result.

Joomla 1.5

• Create a directory in your domain outside of your public_html directory. You can name it anything you want but it should reflect the site name in some way. We used the name design2-files for the directory name in this example. Note: If you have multiple Joomla installs then each Joomla install you have should have its own directory outside of public_html to contain its configuration.php file.
• Place a copy of your current configuration.php file, completely unaltered and NOT renamed into this directory. I have permissions set at 644 on the file in this directory and the directory set to 755 permissions. Permissions of 444 on the configuration.php file are also acceptable if that is the current permissions of your configuration.php file.
• Go to the root/includes/ directory in your Joomla install, backup the file defines.php.
• Now open the file defines.php in your favorite editor
• Around line 26 you will see this:

  define('JPATH_CONFIGURATION',JPATH_ROOT);
  

  Replace it with this:

  define('JPATH_CONFIGURATION',JPATH_ROOT.DS.'../design2-files');
  

  If Joomla has been installed in a subdirectory under public_html ( public_html/subdirectory/ ) then replace it with this

  define('JPATH_CONFIGURATION',JPATH_ROOT.DS.'../../'.DS.'design2-files');
  
  

  The /design2-files is our example subdirectory. Replace this with the name of your subdirectory.
• Repeat these exact same steps with the defines.php file that is located in the root/administrator/includes/ directory. If you don't do this access to your admin area will be prevented.
• Go to the root of your installation and rename the configuration.php file to something like somefile.html while testing the modifications.
• Using a browser, go to your website and test as many pages as you can to make certain it is working correctly.
• When you are satisfied everything is working properly, delete the old renamed configuration.php file from the root of your Joomla installation.
• Retest your website thoroughly to make sure everything is still working correctly.
• Make sure you add the new directory (design2-files in our example) with the configuration.php file in it to your backup job so it doesn't get missed.
• You can access and modify the Joomla configuration as you would normally from the Joomla administration area. This access will not create a new configuration.php file, but will modify the moved configuration.php file.

Joomla 1.6, 1.7

Overriding defines.php

Starting with version 1.6, it is possible to provide a localized version of the files that reside in includes/defines.php (i.e. includes/defines.php and administrator/includes/defines.php). This makes it possible to move a variety of files outside of document root.

The actual process is quite simple, but it is advisable that you make sure you know what you're doing before proceeding.

To start, copy the file {ROOT}/includes/defines.php to {ROOT}/defines.php and the file {ROOT}/administrator/includes/defines.php to {ROOT}/administrator/defines.php.

Once you have copied the files, it is necessary to edit both new files and add the lines:

define('_JDEFINES', 1);
define('JPATH_BASE', dirname(__FILE__));

underneath the defined('_JEXEC') or die; line.

Setting the path to configuration.php

Now that you have created override files, you can edit them and provide new locations for various directories. The directory we're interested in is JPATH_CONFIGURATION. The default value is defined as:

define('JPATH_CONFIGURATION', JPATH_ROOT);

To put the configuration file in another location, move the file to its new home and specify the new path. As an example, if your files were in /home/exampleuser/public_html and you wanted to put configuration.php in /home/exampleuser/configuration.php, you would change the JPATH_CONFIGURATION define line to:

define('JPATH_CONFIGURATION', '/home/exampleuser');

Make this change in both files, move the configuration.php file and you're done.