WordPress.org

Ideas

Change wp-config.php to different name for security reason

  1. adinugroho
    Member

    12345

    Hi,
    I handle hundreds of WordPress site in my server. Sometimes intruder coming to my server and use symlink to read any wp-config.php files in whole server. If we can change the wp-config.php name easily in future, that will increase the WordPress security.

    Posted: 2 years ago #
  2. 1989danielb
    Member

    Couldn't you just use a program such as NetBeans to do a search and replace on all instances of wp-config.php within the WordPress directory? I don't think any references to the file are in the database.

    As in you change the filename to something like "template-home.php" and then set NetBeans to find and replace any and all instances of wp-config.php to "template-home.php". Then anything pointing to the old config file name will be changed.

    Not sure if it works, but it could be a temporary solution while you wait for any changes/plugins :)

    Posted: 2 years ago #
  3. Ipstenu (Mika Epstein)
    Administrator

    DO NOT EDIT CORE FILES LIKE THAT

    NO! Never. 1989danielb please do not suggest that. It's a terrible idea, all your changes will be lost when you upgrade and your site will break.

    Okay. Now that we're all NOT editing core....

    You can move the wp-config.php file one level up. So if you install WP here:

    /home/public_html/index.php (etc)

    The config can go in the NON web-accessible folder:

    /home/wp-config.php

    However. The concept that renaming that file will 'help' is not actually so. First of all, you have to be able to have a 'common' file to tell WP 'this is where I live' and since WP is open source, any reasonable hacker would be able to write a script that checks what your site is calling instead of wp-config.php

    Sometimes intruder coming to my server and use symlink to read any wp-config.php files in whole server.

    THIS is bad, horrible, dear god get a new webhost, levels of security holes. A GOOD server does not allow user A to read ANY files from User B. A symlink could be made, but would be unreadable because of permissions.

    And still, renaming won't matter if I can run a server side scan for all files with the wp-config 'headers'

    Unless of course the intruder gets in with root access, at which point nothing matters at all.

    Posted: 2 years ago #
  4. adinugroho
    Member

    12345

    Hi,
    Yes we can move the wp-config.php to the home folder but how if we have some subdomain for example /home/x/www/sub1/, /home/x/www/sub2/? we can't put both wp-config.php at /home/x/www/ and also it will overwrite the wp-config.php on main domain.
    At least we can one step ahead from the intruder before he found another method. I was check many intruder scripts and it create symlink to CMS configuration from their name, ex: wp-config.php, configuration.php, config.php, etc.
    Most of the scripts bruteforce all names and hope they lucky
    /home/*/wp-config.php
    /home/*/www/wp-config.php
    /home/*/www/*/wp-config.php

    They can't read it if they not do the symlink first.
    If we change the wp-config.php name, they can't read our database name, username and password.

    Posted: 2 years ago #
  5. nhantam
    Member

    12345

    First: You can rename wp-config.php = config.php
    Second: replace all require 'wp-config.php' = require 'configs.php';

    Regards

    Posted: 1 month ago #
  6. Ipstenu (Mika Epstein)
    Administrator

    DO NOT EDIT CORE FILES

    DO NOT EDIT CORE FILES

    DO NOT EDIT CORE FILES

    DO NOT EDIT CORE FILES

    Seriously. No. Stop. Don't do it. You are a fool if you do it.

    Posted: 4 weeks ago #
  7. Silko
    Member

    12345

    Protection your wp-config.php can be easy, please have a look: https://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

    Posted: 3 weeks ago #

RSS feed for this topic

Reply

You must log in to post.

  • Rating

    12345
    4 Votes
  • Status

    Sorry, not right now

Tags