diff --git a/README.md b/README.md
index 30ba31d7..7397d813 100644
--- a/README.md
+++ b/README.md
@@ -18,7 +18,7 @@ Features
     + `echo "<?php \$login_url='MY-SECRET-URL';" > /usr/local/vesta/web/inc/login_url.php`
     + Literally no one PHP script will be alive before you access that URL, so even if there is some zero-day exploit - hacker will not be able to access it without knowing your secret URL. PHP scripts from VestaCP will be simlpy dead - nothing will interact with someone who don't know your secret-URL.
     + You can see how mechanism was built by looking at:
-      + https://github.com/myvesta/vesta/blob/master/src/deb/php/php.ini#L496
+      + https://github.com/myvesta/vesta/blob/master/src/deb/for-download/php/php.ini#L496
       + https://github.com/myvesta/vesta/blob/master/web/inc/secure_login.php
 
 + We disabled dangerous PHP functions in php.ini, so even if customer's CMS was compromised, hacker will not be able to execute shell from PHP.