WordPress.org

Ready to get started?Download WordPress

Forums

Completely securing files and folders (5 posts)

  1. danielt
    Member
    Posted 6 years ago #

    I have seen many different and unfortunately completely differing articles on this, but I am more and more confused the more of them I look at.

    What I want to do is simply make sure nobody can read or write to, or even look at(dir list) any files on my site.

    Everyone seems to begin with using the file .htaccess and say that you should "add" some things to it. First of all: my WP never installed an .htaccess file! and my site didn't have one by default, it's a new subdomain. I'll probably be changing it to a /subdir on the domain's root anyway, but that's off the topic already.

    What's to stop someone from finding the location of the wp-config file, for example, and reading the database name, and the username and password for access?

    I tried using one of the various methods I saw online, where you restrict privileges unless the requester is index.php. This didn't seem to work.

    I'd very much appreciate a link to, or sample of, a typical .htaccess file (or set of files for each folder) that will secure all the folders from access using a browser. I still want WordPress to be able to make changes, of course, and I also want to be able to make changes via my website host's utilities. But either of those methods require authentication. -- That's one of the things that also went wrong - when I used my site's "protect" utility to "protect" the /wp-admin folder, for example, then the site started asking me for authentication even to load the main index.php page! I assume this is because that page calls files from the subdirectory wp-admin.

    Please consider me a total web development dummy. When it comes to network setup and servers and hardware, I can solve anything in my sleep, but this stuff is a foreign world for me.

    Any help is appreciated, thanks

  2. whooami
    Member
    Posted 6 years ago #

    Everyone seems to begin with using the file .htaccess and say that you should "add" some things to it. First of all: my WP never installed an .htaccess file!

    wordpress doesn't come with an .htaccess, thats correct. And wp wont "install" one for you unless you attempt to use pretty permalinks, and have the right server set up that actually allows it to create one.

    What's to stop someone from finding the location of the wp-config file, for example, and reading the database name, and the username and password for access?

    php is parsed server side. Bring up your own wp-config.php in your browser and see what you see.

    You can also restrict someone from simply browsing your directories by putting this is an .htaccess:

    Options All -Indexes

    As for the larger question of securing files from being brought up in a browser -

    I've actually created a list of files that can currently be brought up in a browser and proposed a cpl "fixes" here:

    http://www.village-idiot.org/archives/2007/08/16/paths-wordpress-and-googlebot/

    Its an issue for me, in this post, because I actually caught Googlebot indexing files that it shouldnt have been (not on my site, thank god).

  3. Chris_K
    Member
    Posted 6 years ago #

  4. danielt
    Member
    Posted 6 years ago #

    Options All -Indexes

    Would I put this into an .htaccess file within each folder I want to protect? I not only want to prevent directory listing but also someone should not be able to "guess" a filename and try to download it.

    If all this is moot and the system is secure, I'm cool and happy. I am only concerned about security information being retrieved, or, someone modifying data without permission.

    TY

  5. whooami
    Member
    Posted 6 years ago #

    .htaccess's are hierarchical. Put it inside your topmost .htaccess and all directories are covered by it.

    As to guessing a filename -- you cant protect against that.

    You simply cannot prevent the downloading of some files. Thats how the web works.

    Like Ive already said, PHP is parsed server-side. Code is not displayed to the browser, nor is it viewable inside downloaded files.

    There are exceptions to that rule, but Im not going there.

Topic Closed

This topic has been closed to new replies.

About this Topic