Treehouse: Grow your CSS skills. Land your dream job.

Last updated on:

Shock Teenage Gangsters with wp-config Redirect

Funny email from a reader, that I figured would make a good post:

This is a funny redirect. I get one or two visits a day from teenage gangsters trying to enter my server by checking if a wp-config-file exists that is no longer the newest version. I got best panic results by linking to the Russian IT-Counter-intelligence Agency.

NOTE: You should NOT use this if you are ACTUALLY using WordPress. Also, I updated it to the FBI since that Russian site went down.

Redirect 301 /wp-config.php


  1. Permalink to comment#

    This is such a funny prank. Well done!

  2. I have got to use this one. Brilliant idea!

  3. Permalink to comment#

    Funny : )

  4. Permalink to comment#

    That is an awesome redirect! Serves them right!

  5. Permalink to comment#

    I’m going to use this!

  6. chris
    Permalink to comment#

    Love the idea..

    but looks like is no longer there …

    or.. at lest 404ed today 09.22.2009

  7. Permalink to comment#

    I don’t understand the note at the top:

    “NOTE: You should NOT use this if you are ACTUALLY using WordPress.”

    Please clarify.
    Can I use this on my wordpress blog?
    If not, why?

    • Because if you ARE using wordpress, it needs to access that wp-config file in order to work, not be redirected away.

    • Of course it does, but PHP loads the file (any include for that matter) locally, right from the file system. Apache has nothing to do with that. It’s no problem to use this even if you do run WordPress.

      Besides, wp-config.php should never be accessible from inside the document root anyway.

    • Sorry, bit of a late reply, but I just had to say something. Far too often made mistake. ;-)

    • Chris what do you mean by “if you are ACTUALLY using Wordpres”? Wouldn’t the only people using this snippet be WordPress users and therefore people ACTUALLY WordPress making this snippet useless then? I’m confused. Could you please give me an example of some one not ACTUALLY using WordPress and someone ACTUALLY using WordPress?

    • I’m confused about how this is confusing ;)

      “Actually” using WordPress means downloading and installing WordPress on your server and building your site with it. If you do that, don’t use this. If you don’t do that, that means you aren’t using WordPress, and can use this cheezy snippet to mess with kiddy hackers who might assume that you are (running WordPress) and are trying to hack you by accessing that file.

  8. SVR
    Permalink to comment#

    СВР (SVR) – Foreign Intelligence Service

  9. SO GOOD, thx.

  10. Permalink to comment#

    Uhahaha! Wonderful trick :D

  11. Permalink to comment#

    Show those hackers what’s upppp

  12. Permalink to comment#

    I think I’ll send them to

  13. Mark Gason
    Permalink to comment#

    so who is correct??????
    “NOTE: You should NOT use this if you are ACTUALLY using WordPress”
    or Colin Helvensteijn
    “Of course it does, but PHP loads the file (any include for that matter) locally, right from the file system. Apache has nothing to do with that. It’s no problem to use this even if you do run WordPress.”

  14. Christian Ramsey
    Permalink to comment#

    I would also like to know who is correct.

  15. Permalink to comment#

    It’s very easy:

    Wordpress works via PHP and can use the wp-config.php file.
    That’s how PHP works.
    So, Worpress can use the wp-config.php file without any problem.

    A surfer tries to view (via Explorer, Firefox etc.) the wp-config.php ( THEN he will be redirected via this funny trick.

  16. Permalink to comment#

    Haha I like this, I think I’m deff going to add that to my .htaccess =)

  17. Permalink to comment#

    Just found this and I think it’s awesome. I’ve always wanted to do something like this.

    In my robots file I have some fake entries too and I often see people going to them.

    Now I’m going to redirect them to

  18. This is very well done! I love the humor! I’ll be adding this to my WordPress Site.

  19. Thanks very much for this! I’ve added as well.

  20. Now you have got me confused! Help!
    I am learning how to setup a WordPress site using your 3 episode series.

    How do i protect my site against hackers?

  21. If I wrote my website from scratch on Coda, then is there any way to do this?

  22. Permalink to comment#

    I think the best protection of wp-config file is to put it on the parent directory of www or public_html as WP still knows where to get it from but it’s not accessible through the frontpage.

  23. I’ve got the best idea:

  24. One thing – wh 301? Why to give a “power” to redirect location? Why just not to do normal redirect? ;)

  25. Permalink to comment#

    Ha ha, very good one, I did something similar with my wireless network. I named it after a very famous devastating virus online, so if you want to hack my wireless, you may want to think it twice!

    Good job.

  26. Anthony L.
    Permalink to comment#

    Okay. This is rather late of a reply, but oh what the hell. In case someone can’t figure out what the above says, I’ll break it down. …Not that I’d know just why you would be doing web development if you can’t understand this basic instruction here.

    This is a prank. It is a joke. It is intended to fool people who THINK you use WordPress. Sure, it will work if you still run WordPress, but you will cause issues when your server accesses that specific file.

    So if you are running a site on nothing but your own HTML, CSS, PHP, Javascript and whatever else, and you aren’t using WordPress, then use this. If someone tries to mess with your site thinking you actually run that platform, they’ll be redirected.

    Makes sense? Sweet. If not…. Maybe you shouldn’t be trying web development. Or take a few English classes. Or hell – learn WordPress if you can’t infer why this might be a bad move to implement on a WordPress-powered site.

  27. DrunkCoder
    Permalink to comment#

    I really don’t understand why I can’t use this on WordPress site…
    When and where WordPress makes a HTTP request to wp-config.php?!
    It is included in PHP and PHP don’t care about .htaccess, apache e.t.c.
    Or you say if I will redirect all my users to WWW prefix of my site (force WWW in domain mby for SEO), PHP will include files from WWW directory or other directory? I don’t think so :)

  28. I would presume the comment not to use is based on the fact that most often people would not know how to access their config in several different ways. Personally I SSH to my server so thumbs up to this prank :)

  29. This is awesome. Thanks Chris!

  30. Shane
    Permalink to comment#

    Chris, why have you said that you should not actually use this if you have WP?
    If you have a look at the PHP code for WP, you see that it includes the wp-config.php file, as it should. It does not make a web request then eval the response – that would be dangerous. It would also be the only way for this htaccess prank to affect WP.

    The file is loaded using the file system which is not affected by htaccess. Therefore, this is completely safe for use in WP environments. But don’t take my word for it, give it a go yourself.

  31. Jão
    Permalink to comment#

    It would be even funnier to redirect to a goatse… If you don´t know what a goastse is, don´t look it up unless you´ve got a really strong stomach and sick/twisted sense of humour!

Leave a Comment

Posting Code

We highly encourage you to post problematic HTML/CSS/JavaScript over on CodePen and include the link in your post. It's much easier to see, understand, and help with when you do that.

Markdown is supported, so you can write inline code like `<div>this</div>` or multiline blocks of code in in triple backtick fences like this:

  function example() {
    element.innerHTML = "<div>code</div>";