Secure Permissions for wp-config.php

  • Resolved angelax

    (@angelax)


    7 years, 8 months ago

    I had a working installation of WordPress, then needed to do a completely fresh install. I followed all instructions to reinstall and restore from backup. I even had the new install working for a little bit.

    (Ubuntu 16.04 LTS server, owned and managed by me, accessing via SSH)

    However, when I follow the instructions for “Hardening WordPress,” things break. I changed the owner for all files & folders to my individual user, except for the wp-content folder, which is owned by my Apache server’s user www-data. I changed the permissions for all folders to 755 and all files to 644, except for wp-config.php which I changed to 400.

    This causes a “Fatal error” when I try to access the site via web browser, saying that permission is denied to wp-config.php when it is trying to be accessed by wp-load.php. Changing permission of wp-config.php to 644 fixes this, but “Hardening WordPress” says this is insecure. I really really really do not want my database password (which is stored in wp-config.php) exposed to the world.

    What permissions can I give to wp-config.php that keeps my data secure but also lets WordPress be operational? I can’t find an answer to this question anywhere. I only see people in forums who say “change it to 644” and the “Hardening WordPress” site that says “change it to 400” but no advice for what to do when neither of these is a workable solution.

    Or, is there another place I can store my database credentials so that I can keep them secure even if permissions to wp-config.php are lax?

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    7 years, 8 months ago

    wp-config.php should be 640, owned by the user under which PHP is running (www-data, I think, on Uubuntu).

    My sites are all set up so each is running as a different user (via php-fpm) and never the default user. All files are 644, and all directories are 755.

    Thread Starter angelax

    (@angelax)

    7 years, 8 months ago

    Thanks so much for your quick reply.

    Just to confirm, does giving the web server read&write access (640) to a php file containing my database password give relatively easy access to my database password to interested external parties? Or is this a secure way to store it?

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    7 years, 8 months ago

    6 says the owner can read/write, 4 says the group can read, 0 says no one else can read.

    However, externally, no one can “read” the file, regardless of permissions. It’s a PHP file which gets executed, not read.

    Thread Starter angelax

    (@angelax)

    7 years, 8 months ago

    Thanks, this is great info. Sorry if I sound paranoid or uninformed. I was worried that with web server read access, someone could use wget or something similar to get the source. But as you said, that is not the case. I just tested it out myself and your solution is perfect.

    Changed owner (and group) to www-data and we have a working site that is at least as secure as it was before I did my fresh install.

    Thanks again for your (quick!) help.

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    7 years, 8 months ago

    Keep in mind that if you have any other sites on your server that are also running as www-data that a successful hack on any one of them can lead to a hack on all. So, read up on php-fpm and using different users for each site.

Viewing 5 replies - 1 through 5 (of 5 total)

The topic ‘Secure Permissions for wp-config.php’ is closed to new replies.