Shock Teenage Gangsters with wp-config Redirect

Funny email from a reader, that I figured would make a good post:

This is a funny redirect. I get one or two visits a day from teenage gangsters trying to enter my server by checking if a wp-config-file exists that is no longer the newest version. I got best panic results by linking to the Russian IT-Counter-intelligence Agency.

NOTE: You should NOT use this if you are ACTUALLY using WordPress. Also, I updated it to the FBI since that Russian site went down.

Redirect 301 /wp-config.php


  1. User Avatar
    Permalink to comment#

    This is such a funny prank. Well done!

  2. User Avatar
    Daniel Groves
    Permalink to comment#

    I have got to use this one. Brilliant idea!

  3. User Avatar
    Permalink to comment#

    Funny : )

  4. User Avatar
    Permalink to comment#

    That is an awesome redirect! Serves them right!

  5. User Avatar
    Permalink to comment#

    I’m going to use this!

  6. User Avatar
    Permalink to comment#

    Love the idea..

    but looks like is no longer there …

    or.. at lest 404ed today 09.22.2009

  7. User Avatar
    Permalink to comment#

    I don’t understand the note at the top:

    “NOTE: You should NOT use this if you are ACTUALLY using WordPress.”

    Please clarify.
    Can I use this on my wordpress blog?
    If not, why?

    • User Avatar
      Chris Coyier
      Permalink to comment#

      Because if you ARE using wordpress, it needs to access that wp-config file in order to work, not be redirected away.

    • User Avatar
      Colin Helvensteijn
      Permalink to comment#

      Of course it does, but PHP loads the file (any include for that matter) locally, right from the file system. Apache has nothing to do with that. It’s no problem to use this even if you do run WordPress.

      Besides, wp-config.php should never be accessible from inside the document root anyway.

    • User Avatar
      Colin Helvensteijn
      Permalink to comment#

      Sorry, bit of a late reply, but I just had to say something. Far too often made mistake. ;-)

    • User Avatar
      Ethan Kramer
      Permalink to comment#

      Chris what do you mean by “if you are ACTUALLY using Wordpres”? Wouldn’t the only people using this snippet be WordPress users and therefore people ACTUALLY WordPress making this snippet useless then? I’m confused. Could you please give me an example of some one not ACTUALLY using WordPress and someone ACTUALLY using WordPress?

    • User Avatar
      Chris Coyier
      Permalink to comment#

      I’m confused about how this is confusing ;)

      “Actually” using WordPress means downloading and installing WordPress on your server and building your site with it. If you do that, don’t use this. If you don’t do that, that means you aren’t using WordPress, and can use this cheezy snippet to mess with kiddy hackers who might assume that you are (running WordPress) and are trying to hack you by accessing that file.

  8. User Avatar
    Permalink to comment#
    СВР (SVR) – Foreign Intelligence Service

  9. User Avatar
    Permalink to comment#

    SO GOOD, thx.

  10. User Avatar
    Permalink to comment#

    Uhahaha! Wonderful trick :D

  11. User Avatar
    Devin Walker
    Permalink to comment#

    Show those hackers what’s upppp

  12. User Avatar
    Regina Smola
    Permalink to comment#

    I think I’ll send them to

  13. User Avatar
    Mark Gason
    Permalink to comment#

    so who is correct??????
    “NOTE: You should NOT use this if you are ACTUALLY using WordPress”
    or Colin Helvensteijn
    “Of course it does, but PHP loads the file (any include for that matter) locally, right from the file system. Apache has nothing to do with that. It’s no problem to use this even if you do run WordPress.”

  14. User Avatar
    Christian Ramsey
    Permalink to comment#

    I would also like to know who is correct.

  15. User Avatar
    Permalink to comment#

    It’s very easy:

    Wordpress works via PHP and can use the wp-config.php file.
    That’s how PHP works.
    So, Worpress can use the wp-config.php file without any problem.

    A surfer tries to view (via Explorer, Firefox etc.) the wp-config.php ( THEN he will be redirected via this funny trick.

  16. User Avatar
    Permalink to comment#

    Haha I like this, I think I’m deff going to add that to my .htaccess =)

  17. User Avatar
    Permalink to comment#

    Just found this and I think it’s awesome. I’ve always wanted to do something like this.

    In my robots file I have some fake entries too and I often see people going to them.

    Now I’m going to redirect them to

  18. User Avatar

    This is very well done! I love the humor! I’ll be adding this to my WordPress Site.

  19. User Avatar

    Thanks very much for this! I’ve added as well.

  20. User Avatar

    Now you have got me confused! Help!
    I am learning how to setup a WordPress site using your 3 episode series.

    How do i protect my site against hackers?

  21. User Avatar
    Permalink to comment#

    If I wrote my website from scratch on Coda, then is there any way to do this?

  22. User Avatar
    Permalink to comment#

    I think the best protection of wp-config file is to put it on the parent directory of www or public_html as WP still knows where to get it from but it’s not accessible through the frontpage.

  23. User Avatar
    Avinash Dwarapu
    Permalink to comment#

    I’ve got the best idea:

  24. User Avatar
    Permalink to comment#

    One thing – wh 301? Why to give a “power” to redirect location? Why just not to do normal redirect? ;)

  25. User Avatar
    Permalink to comment#

    Ha ha, very good one, I did something similar with my wireless network. I named it after a very famous devastating virus online, so if you want to hack my wireless, you may want to think it twice!

    Good job.

  26. User Avatar
    Anthony L.
    Permalink to comment#

    Okay. This is rather late of a reply, but oh what the hell. In case someone can’t figure out what the above says, I’ll break it down. …Not that I’d know just why you would be doing web development if you can’t understand this basic instruction here.

    This is a prank. It is a joke. It is intended to fool people who THINK you use WordPress. Sure, it will work if you still run WordPress, but you will cause issues when your server accesses that specific file.

    So if you are running a site on nothing but your own HTML, CSS, PHP, Javascript and whatever else, and you aren’t using WordPress, then use this. If someone tries to mess with your site thinking you actually run that platform, they’ll be redirected.

    Makes sense? Sweet. If not…. Maybe you shouldn’t be trying web development. Or take a few English classes. Or hell – learn WordPress if you can’t infer why this might be a bad move to implement on a WordPress-powered site.

  27. User Avatar
    Permalink to comment#

    I really don’t understand why I can’t use this on WordPress site…
    When and where WordPress makes a HTTP request to wp-config.php?!
    It is included in PHP and PHP don’t care about .htaccess, apache e.t.c.
    Or you say if I will redirect all my users to WWW prefix of my site (force WWW in domain mby for SEO), PHP will include files from WWW directory or other directory? I don’t think so :)

  28. User Avatar
    Saku Mättö
    Permalink to comment#

    I would presume the comment not to use is based on the fact that most often people would not know how to access their config in several different ways. Personally I SSH to my server so thumbs up to this prank :)

  29. User Avatar

    This is awesome. Thanks Chris!

  30. User Avatar
    Permalink to comment#

    Chris, why have you said that you should not actually use this if you have WP?
    If you have a look at the PHP code for WP, you see that it includes the wp-config.php file, as it should. It does not make a web request then eval the response – that would be dangerous. It would also be the only way for this htaccess prank to affect WP.

    The file is loaded using the file system which is not affected by htaccess. Therefore, this is completely safe for use in WP environments. But don’t take my word for it, give it a go yourself.

  31. User Avatar
    Permalink to comment#

    It would be even funnier to redirect to a goatse… If you don´t know what a goastse is, don´t look it up unless you´ve got a really strong stomach and sick/twisted sense of humour!

  32. User Avatar
    Permalink to comment#

    So to anyone wondering about the comments vis-à-vis:

    You should NOT use this if you are ACTUALLY using WordPress. … Because if you ARE using wordpress, it needs to access that wp-config file in order to work, not be redirected away.

    Chris perhaps was assuming the apache server would deny itself access to wp-config.php via a 301 redirect set in htaccess. This makes no sense because php running on a server doesn’t make TCP/IP requests to itself on the same local machine. The set of php files do their thing and allow access to the database, and this separation is what protects said DB.

    In fact, this is often used to bolster the security of WordPress’s database-password-containing wp-config.php file:

    # Deny access to wp-config.php file
    <files wp-config.php>
    order allow,deny
    deny from all

    PHP compiles on the server, “pre-processed” before any hypertext access (or “htaccess”). The name PHP itself is a nerdy inside joke in the that the acronym itself was pre-processed since it’s supposed to stand for “pre-processed hypertext” which would ordinary be “PPH”.

Leave a Comment

Posting Code!

You may write comments in Markdown. This makes code easy to post, as you can write inline code like `<div>this</div>` or multiline blocks of code in triple backtick fences (```) with double new lines before and after.

Code of Conduct

Absolutely anyone is welcome to submit a comment here. But not all comments will be posted. Think of it like writing a letter to the editor. All submitted comments will be read, but not all published. Published comments will be on-topic, helpful, and further the discussion or debate.

Want to tell us something privately?

Feel free to use our contact form. That's a great place to let us know about typos or anything off-topic.