Ready to get started?Download WordPress


Security of wp-config.php (9 posts)

  1. eliben
    Posted 8 years ago #

    Hello all,

    In the wp-config.php file in the main directory of my blog I openly enter the username & password of my WordPress MySQL database. What are the security considerations of this method ? If indexing of the blog directory is disabled (i.e. surfers can't just open any file they wany), am I safe ?

    Can't anyone just open .../blog/wp-config.php and see the private details ?

  2. Chris_K
    Posted 8 years ago #

    Try and browse to it. :-) http://yourdomain.com/blog/wp-config.php

  3. eliben
    Posted 8 years ago #

    I can't browse to it, but this is the most trivial option. I wonder what prevents more experienced crackers than me to access it ? Do they have to know my password or can it be overcome somehow ?

  4. Mark (podz)
    Support Maven
    Posted 8 years ago #

    PHP is executed on the server before it gets sent to the browser. I have posted my url to it before many times and the fact that tens of thousands of blogs use WordPress is testament to it's effectiveness.

    What you need to is have an effective password:
    or something similar is good. Single words or even double words are very very poor.

    Your weakest link is not WP - it's your password :)

  5. Kafkaesqui

    Posted 8 years ago #

    Not a new topic...


    Here's a recent thread which discusses an option available to WP users (depending how your server is set up) if you're *really* concerned about this:


    Keep this in mind though: if someone can read your wp-config content, you have a larger problem to deal with.

  6. kenl77
    Posted 7 years ago #

    the mighty G search tool has come up with code-search which will dig out your php file codes and show it to the www

    so even if you see nothing while pointing to the file the big G will dig them out for you with their codesearch, secure your cofig file now boys and girls.

  7. whooami
    Posted 7 years ago #

    responding again, since you did as well:

    what you are implying is absolute crap, kenl77, and I challenge you to show a single instance where a wp-config.php that is currently being used for a live site is being displayed in plain text via Google.

  8. entell
    Posted 7 years ago #

    Actually, you don't need big G to expose the contents of your PHP file. If the server goofs up and the PHP server stops responding, you could get into a situation where the content of the PHP file is shown as plain text. Not very likely, but still a possibility.

  9. whooami
    Posted 7 years ago #

    zzz.. its very rare that the PHP interpreter dies. I'm well aware of the possibility, but guess what -- WP sites are more likely to be compromised by a host of other methods, none of which rely on the off-chance that someone will cruise by while PHP is handing out text files.

Topic Closed

This topic has been closed to new replies.

About this Topic