WordPress.org

Ready to get started?Download WordPress

Forums

Can outsiders read php files? (4 posts)

  1. KevinTMC
    Member
    Posted 8 years ago #

    Hi. My name is KevinTMC, and I'm paranoid. And I don't know much about PHP. Which is a dangerous combination.

    After installing WordPress, I noticed that if I typed "http://[my blog].us/readme.html", it opened the Readme, even if I wasn't logged into my admin panel. Being paranoid, and knowing that WordPress wouldn't need to do anything fancy with this file, I chmodded it--and license.txt--to 640, so that anyone snooping around trying to figure out exactly which version I was running would get a 404 instead.

    But I don't dare 640 all the real working files...yet I sure wouldn't want some random person to be able to read through, say, the contents of my wp-config.php file either.

    I did feel a little better when my browser just showed me a blank page when I tried calling up wp-config.php, wp-pass.php, and so on...but perhaps that's just because I don't know what I'm doing. Could anyone with the right browser settings, or other appropriate software, look at the guts of my .php files so long as they are set at 644 or looser? Or should I stop worrying, because the .php files are already protected somehow?

  2. niziol
    Member
    Posted 8 years ago #

    Someone may have a more explisive answer, but if your web server is working and configured properly, it should always output the results of the PHP page (if any) and not the actual PHP code itself. Usually, the extension .phps or some other method is used to display the actual PHP code.

    Cheers,
    Michael.

  3. khimichcom
    Member
    Posted 8 years ago #

    You don't need to worry. Your webserver process php files, but didnt show its internal text. Anyway there is always possibility that someone will hack some script and get access to another scripts. This world is so unoptimized ;-)

  4. mumkin
    Member
    Posted 8 years ago #

    Somewhat relatedly: If you don't want snoopy people to be able to discern what version of WP you're running, you probably want to edit your theme's header.php to remove the meta tag immediately following your title. It calls<?php bloginfo('version'); ?>, so you've got this in the source of every page:

    <meta name="generator" content="WordPress 2.0.1" /> <!-- leave this for stats -->

Topic Closed

This topic has been closed to new replies.

About this Topic