Question about security

  • Resolved Architect

    (@swotong)


    13 years, 9 months ago

    Hi,

    It seems quite easy for a malicious theme or plugin to copy my wordpress files on my server and email them back to the bad guy, so I just came up with these questions:

    Inside wp-config.php, my database information can be read easily since they are just plain text, can people get access to my database remotely if they get these information? (I’m using hostgator and I didn’t allow my database for remote access.)

    And is my ftp info(account & password) stored in any file as plain text too in the wordpress folder?

    I’m mostly wondering if installing malicious theme/plugin may risk my password either for my wordpress account or ftp account. To me that’s more serious than having my site down temporarily.

    Thank you : )

Viewing 4 replies - 1 through 4 (of 4 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    13 years, 9 months ago

    The wp-config.php is only readable by someone already logged into your server (not WP, the server), so it’s not actually ‘readable.’

    That said, never use your FTP username and password in the wp-config.php file, make a stand alone SQL account instead. Much safer so that if (because yes it can) a bad plugin/theme reads that file and transmits the data back home, you’re safe.

    Themes from wordpress.com are generally safe. Plugins are more of a risk (we don’t monitor them the same way) and if you find one doing that, please email plugins at wordpress.org ASAP and we’ll kill it with fire.

    Thread Starter Architect

    (@swotong)

    13 years, 9 months ago

    Hi Ipstenu @ipstenu ~

    Thanks for the reply. I always use ‘QuickInstall’ to install a new wordpress therefore I never need to set up those SQL account myself. It creates a SQL account with random but complex password which seems pretty good in terms of safety.

    For the FTP part, I don’t remember ever typing in any information about it when using wordpress. Does wordpress need my FTP info to work? Or is it just for some old version of wordpress?

    Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    13 years, 9 months ago

    It only needs your FTP info when upgrading or installing plugins/themes, and that depends on how your ftp security is set up. My Dad’s site I never need to put in FTP details. Mine I always do.

    You can hard code that into the wp-config file, but really I would never do it.

    Thread Starter Architect

    (@swotong)

    13 years, 9 months ago

    Ok, looks like my FTP is safe the way it is for now~

    Thanks a lot~~

Viewing 4 replies - 1 through 4 (of 4 total)

The topic ‘Question about security’ is closed to new replies.