As I understand it, that’s a PHP file, and that info can’t been seen.
Please review: Hardening_WordPress
Thread Starter
Rastl
(@mrspost)
I did read that before posting and didn’t find anything on moving that file out of the public directory.
/wp-admin/ — the WordPress administration area: all files should be writable only by your user account.
Just because they can’t write to it doesn’t mean that they can’t possibly view it and see all the connection information in clear text.
I know that part of my responsibility is to secure all the directories properly but being able to move that critical file into a private directory seems like a pretty basic security practice.
You can move the wp-config.php file to the directory above your WordPress install.
This means for a site installed in the root of your webspace you can store in outside the webroot fine.
I’ve seen this a number of times, but when I move wp-config to the wp-includes folder, I get an error that wp-config does not exist. I’m guessing I’m misunderstanding how to do this. It’s easy enough to understand that you wouldn’t want anyone to read wp-config.
Why is it set by default to be able to be read publicly anyway? Is it to simplistic to simply change the permissions on this file and leave it where it is? This really doesn’t apply to automated attacks does it? It seems the config file would only come into play if there was an actual hacker trying to pry into your site a bit.
Thanks for the thread on this…it’s an important issue. I always took security for granted until my site was destroyed. Live and learn 🙂
@rxcknrxll
I think by up they mean in the other direction, outside your public_html folder.
Some hosts only give you access to public_html, so you might need to contact your hosting support to put a file outside of public_html.