WordPress.org

Ready to get started?Download WordPress

Forums

file permissions on wp-config.php? (10 posts)

  1. carbohydrate
    Member
    Posted 9 years ago #

    hi! i just got WP up and running following the wiki instructions. right now, wp-config.php is set to 644 root:root. as you know, this file contains the mysql dbase username:password. when i was installing WP, the wiki instructions had me grant all privileges to the dbase to the user in the world readable file wp-config.php.

    i dont have any local users on this box, but as you could imagine, having a world readable file with the credentials of a privileged dbase user doesnt make me feel comfortable. i think chowning the file to the apache user and the chmod 640 would do the trick, but i was wondering if there might be any problems in doing this or was there something i missed in the wiki? sorry if i overlooked something. thanks!

  2. moshu
    Member
    Posted 9 years ago #

    Try to read my "word readable" config file:
    http://www.transycan.net/blogtest/wp-config.php

    (answer plagiarized from Podz :)

  3. carbohydrate
    Member
    Posted 9 years ago #

    thanks for the reply. thats reassuring to know that!

    but my question had to do more with local users actually logged into the server via telnet, ssh, or whatever... they could easily read the file. in my case, i have no such users (besides myself) but suppose some other service gets compromised and someone gains access as whatever user the daemon was running as, they could tool my dbase. of course, they could do other things that hit harder (root kit, etc), but i was just wondering if there was a way to lock this down a bit more, just out of curiosity.

    thanks again

  4. but my question had to do more with local users actually logged into the server via telnet, ssh, or whatever... they could easily read the file.

    That is a risk in every shared hosting environment. The only preventative measure is your hosting account and FTP login password. So, make it a really good password. Try using your own, unique DNA sequence, inter-mixed with numbers familiar to yourself, like your High School ID number, or a former credit card.

  5. carbohydrate
    Member
    Posted 9 years ago #

    macmanx,

    i was afraid that would be the answer!

  6. vkaryl
    Member
    Posted 9 years ago #

    Idle curiosity question, macmanx: how would one go about finding one's own unique DNA sequence?

    [We didn't have "ID" numbers in high school. I have to assume that's something instituted since I graduated - in the mid 60s....]

  7. pizdin_dim
    Member
    Posted 9 years ago #

    I always configure all files in my web directories to chmod 640 and chown root:httpd, where httpd is the apache web server user. Likewise, directories are configured to chmod 750. I can't think of any reason why you'd want to chmod files to 666 and directories to 777, WordPress certainly doesn't need it.

  8. carbohydrate
    Member
    Posted 9 years ago #

    thanks pizdin, Ill give that a try. I was going to chown them to httpd:httpd, but root:httpd sounds much better.

  9. Idle curiosity question, macmanx: how would one go about finding one's own unique DNA sequence?

    You'd have to get a blood sample and then find a blood lab that's kind enough to do the analysis for free, or hope that they have low prices. You could also find a generous med student who might be looking for a project to do.

  10. angsuman
    Member
    Posted 9 years ago #

    @carbohydrate
    Go for at least VPS hosting, provides more protection.

    @vkaryl
    Getting you whole human DNA sequenced is a herculean job. But you can easily get certain segments sequenced freely. Do a HLA profile by registering as a kidney donor. You will get allelles for each locus.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags

No tags yet.