Get a free trial // Grow your CSS skills // Land your dream job

Shock Teenage Gangsters with wp-config Redirect

Last updated on:

Funny email from a reader, that I figured would make a good post:

This is a funny redirect. I get one or two visits a day from teenage gangsters trying to enter my server by checking if a wp-config-file exists that is no longer the newest version. I got best panic results by linking to the Russian IT-Counter-intelligence Agency.

NOTE: You should NOT use this if you are ACTUALLY using WordPress. Also, I updated it to the FBI since that Russian site went down.

Redirect 301 /wp-config.php


  1. Stephen
    Permalink to comment#

    This is such a funny prank. Well done!

  2. Daniel Groves
    Permalink to comment#

    I have got to use this one. Brilliant idea!

  3. Bjarni
    Permalink to comment#

    Funny : )

  4. Clay
    Permalink to comment#

    That is an awesome redirect! Serves them right!

  5. SpiderSavvy
    Permalink to comment#

    I’m going to use this!

  6. chris
    Permalink to comment#

    Love the idea..

    but looks like is no longer there …

    or.. at lest 404ed today 09.22.2009

  7. A
    Permalink to comment#

    I don’t understand the note at the top:

    “NOTE: You should NOT use this if you are ACTUALLY using WordPress.”

    Please clarify.
    Can I use this on my wordpress blog?
    If not, why?

    • Chris Coyier
      Permalink to comment#

      Because if you ARE using wordpress, it needs to access that wp-config file in order to work, not be redirected away.

    • Colin Helvensteijn
      Permalink to comment#

      Of course it does, but PHP loads the file (any include for that matter) locally, right from the file system. Apache has nothing to do with that. It’s no problem to use this even if you do run WordPress.

      Besides, wp-config.php should never be accessible from inside the document root anyway.

    • Colin Helvensteijn
      Permalink to comment#

      Sorry, bit of a late reply, but I just had to say something. Far too often made mistake. ;-)

    • Ethan Kramer
      Permalink to comment#

      Chris what do you mean by “if you are ACTUALLY using Wordpres”? Wouldn’t the only people using this snippet be WordPress users and therefore people ACTUALLY WordPress making this snippet useless then? I’m confused. Could you please give me an example of some one not ACTUALLY using WordPress and someone ACTUALLY using WordPress?

    • Chris Coyier
      Permalink to comment#

      I’m confused about how this is confusing ;)

      “Actually” using WordPress means downloading and installing WordPress on your server and building your site with it. If you do that, don’t use this. If you don’t do that, that means you aren’t using WordPress, and can use this cheezy snippet to mess with kiddy hackers who might assume that you are (running WordPress) and are trying to hack you by accessing that file.

  8. SVR
    Permalink to comment#
    СВР (SVR) – Foreign Intelligence Service

  9. Frederick
    Permalink to comment#

    SO GOOD, thx.

  10. Loige
    Permalink to comment#

    Uhahaha! Wonderful trick :D

  11. Devin Walker
    Permalink to comment#

    Show those hackers what’s upppp

  12. Regina Smola
    Permalink to comment#

    I think I’ll send them to

  13. Mark Gason
    Permalink to comment#

    so who is correct??????
    “NOTE: You should NOT use this if you are ACTUALLY using WordPress”
    or Colin Helvensteijn
    “Of course it does, but PHP loads the file (any include for that matter) locally, right from the file system. Apache has nothing to do with that. It’s no problem to use this even if you do run WordPress.”

  14. Christian Ramsey
    Permalink to comment#

    I would also like to know who is correct.

  15. Hotels
    Permalink to comment#

    It’s very easy:

    Wordpress works via PHP and can use the wp-config.php file.
    That’s how PHP works.
    So, Worpress can use the wp-config.php file without any problem.

    A surfer tries to view (via Explorer, Firefox etc.) the wp-config.php ( THEN he will be redirected via this funny trick.

  16. Kevin
    Permalink to comment#

    Haha I like this, I think I’m deff going to add that to my .htaccess =)

  17. Mark
    Permalink to comment#

    Just found this and I think it’s awesome. I’ve always wanted to do something like this.

    In my robots file I have some fake entries too and I often see people going to them.

    Now I’m going to redirect them to

  18. Gary

    This is very well done! I love the humor! I’ll be adding this to my WordPress Site.

  19. Kabi

    Thanks very much for this! I’ve added as well.

  20. Fordinary

    Now you have got me confused! Help!
    I am learning how to setup a WordPress site using your 3 episode series.

    How do i protect my site against hackers?

  21. Billy
    Permalink to comment#

    If I wrote my website from scratch on Coda, then is there any way to do this?

  22. Sergiu
    Permalink to comment#

    I think the best protection of wp-config file is to put it on the parent directory of www or public_html as WP still knows where to get it from but it’s not accessible through the frontpage.

  23. Avinash Dwarapu
    Permalink to comment#

    I’ve got the best idea:

  24. barat
    Permalink to comment#

    One thing – wh 301? Why to give a “power” to redirect location? Why just not to do normal redirect? ;)

  25. Karl
    Permalink to comment#

    Ha ha, very good one, I did something similar with my wireless network. I named it after a very famous devastating virus online, so if you want to hack my wireless, you may want to think it twice!

    Good job.

  26. Anthony L.
    Permalink to comment#

    Okay. This is rather late of a reply, but oh what the hell. In case someone can’t figure out what the above says, I’ll break it down. …Not that I’d know just why you would be doing web development if you can’t understand this basic instruction here.

    This is a prank. It is a joke. It is intended to fool people who THINK you use WordPress. Sure, it will work if you still run WordPress, but you will cause issues when your server accesses that specific file.

    So if you are running a site on nothing but your own HTML, CSS, PHP, Javascript and whatever else, and you aren’t using WordPress, then use this. If someone tries to mess with your site thinking you actually run that platform, they’ll be redirected.

    Makes sense? Sweet. If not…. Maybe you shouldn’t be trying web development. Or take a few English classes. Or hell – learn WordPress if you can’t infer why this might be a bad move to implement on a WordPress-powered site.

  27. DrunkCoder
    Permalink to comment#

    I really don’t understand why I can’t use this on WordPress site…
    When and where WordPress makes a HTTP request to wp-config.php?!
    It is included in PHP and PHP don’t care about .htaccess, apache e.t.c.
    Or you say if I will redirect all my users to WWW prefix of my site (force WWW in domain mby for SEO), PHP will include files from WWW directory or other directory? I don’t think so :)

  28. Saku Mättö
    Permalink to comment#

    I would presume the comment not to use is based on the fact that most often people would not know how to access their config in several different ways. Personally I SSH to my server so thumbs up to this prank :)

  29. Aaron

    This is awesome. Thanks Chris!

  30. Shane
    Permalink to comment#

    Chris, why have you said that you should not actually use this if you have WP?
    If you have a look at the PHP code for WP, you see that it includes the wp-config.php file, as it should. It does not make a web request then eval the response – that would be dangerous. It would also be the only way for this htaccess prank to affect WP.

    The file is loaded using the file system which is not affected by htaccess. Therefore, this is completely safe for use in WP environments. But don’t take my word for it, give it a go yourself.

  31. Jão
    Permalink to comment#

    It would be even funnier to redirect to a goatse… If you don´t know what a goastse is, don´t look it up unless you´ve got a really strong stomach and sick/twisted sense of humour!

Leave a Comment

Posting Code

We highly encourage you to post problematic HTML/CSS/JavaScript over on CodePen and include the link in your post. It's much easier to see, understand, and help with when you do that.

Markdown is supported, so you can write inline code like `<div>this</div>` or multiline blocks of code in in triple backtick fences like this:

  function example() {
    element.innerHTML = "<div>code</div>";

There's a whole bunch of content on CSS-Tricks.

Search for Stuff   •   Browse the Archives

Get the Newsletter ... or get the RSS feed