WordPress.org

Ready to get started?Download WordPress

Forums

wp-config files showing in Google Code Search (6 posts)

  1. martytdx
    Member
    Posted 7 years ago #

    Has anyone seen this?

    http://www.google.com/codesearch?q=+file:wp-config.php+username&start=20&sa=N

    basically, if you do a search for file:wp-config.php username, you can get returned files (mostly from zipped backups) that reveal the username and passwords of some WordPress users - or at least it appears that way. If valid, what are the methods to block this from happening?

  2. whooami
    Member
    Posted 7 years ago #

    yes its been discussed already..

    dont want to see your files on google, dont save your backups to a publically accessable directory?

    backups arent meant to be kept on the server anyway, that defeats the purpose of a backup, after all. server dies, backup dies. backups are meant to be downloaded and then deleted off the web space.

    its common sense actually.

  3. martytdx
    Member
    Posted 7 years ago #

    True, but how many people use things like CPanel or similar things that can create automatic backups ... and which end up on the same server simply because they don't know better? Those are the people that will end up having their blogs at risk.

  4. whooami
    Member
    Posted 7 years ago #

    umm, oke and?

    Rather than blather on first about I happen to feel that experience isnt an excuse, nor is this a WP specific issue (its already been mentioned on 2 other sites).

    Ill address your question (again) first:

    If valid, what are the methods to block this from happening?

    Dont allow backups to sit in publically accessable directories.

    ---

    Why is that the answer and not something like a robots.txt block on google?

    1. Because the people that dont get that those files are publically accessable, wont get what a robots.txt is for any better.

    2. Because creating a robots.txt file might actually be more work than not leaving the file(s) on the server.

    Its an unfortunate fact that often times Internet life mimics real life -- by that I mean that people that cross the street before looking both ways might get by a car. The same holds true on the 'net -- inexperience, NOT educating yourself, etc.. are not excuses..

    Philosophically speaking, we could all do without some of the more stubbornly ignorant web masters that exist right now. It would prolly make the 'net a safer place for those of us left behind.

    --------

    Besides, youve actually minimized the problem some, as the current practice among most hosts is to assign the same username/passwd combo to everything, ftp, mysql, etc.. So its not just a blog that is at risk, it might be everything.

    Ive always said, "Google knows all"

  5. martytdx
    Member
    Posted 7 years ago #

    LOL ... I agree, ignorance is NOT an excuse, and Google is only doing what Google does - providing the tools. How people use them is a whole other story. Thanks for the reply - well thought out and right to the point.

  6. whooami
    Member
    Posted 7 years ago #

    oh, and i got to thinking.. the default option in cpanel does not save backups to web accessable dirs. Theyre saved to your "home" directory which is typically above web_root

Topic Closed

This topic has been closed to new replies.

About this Topic