Support » Installing WordPress » Delete wp-config.php or leave?

  • Since wp-config.php has the MySQL username/password should this file be deleted? It is web accessible if left where it is correct?

Viewing 15 replies - 1 through 15 (of 17 total)
  • whooami



    If you delete it, your wordpress install wont work.

    Yes, its web accessible, however what do you see when you load it up in your browser? (rhetorical)

    It is blank when I go there, however after I do the installation should I delete it?




    Im sorry, did you not understand my answer?

    If you delete it, your wordpress install wont work.

    is that not clear enough?


    Are you saying that installing wordpress will not work or that even if it is installed, if it is removed, it will break?




    You know what — if you cant comprehend what youve been told then I think you need to just delete the file and be done with it.

    That way you dont have to ask, you dont have to waste my time reading, you can just see for yourself.

    Hows that?

    Frankly, I dont think I need to make myself any clearer than I already have, and I feel like Im wasting my time.

    best of luck, go delete your wp-config.php

    If you’re questioning the wisdom of having a unencrypted file containing passwords in a web readable directory, you’re not alone.

    It’s relatively trivial to google and find a bunch of mysql user/passes when people have mis-configured apache/php and the raw output is being returned.

    <irony>whooami sounds like a really nice guy, giving out friendly advice … </irony>. I understand relegated’s query, having installed phpbb several times. It’s not unusual to have to go into your FTP client and delete the config file as it is a simple, normal, everyday file with a URL like any other, and the natural instict is that anyone would be able to view it. While it’s true that attempting to view it in a browser does produce a blank page (and the source code is incomplete), and as there’s no mention of deleting the file in the installation instructions, it’s probably safe to assume that it is inaccessible (although I should add that I’ve followed phpbb installation instructions to the letter and still had my forum hacked).

    I arrived here by searching google for exactly the same query that the original poster was making, and I’m sure many others do. If anything it looks like whooami has no understanding of the potential or feared security risk, and would welcome any positive feedback or reassurance on the matter. I’m with you, relegated!

    Simply put: Do NOT delete the wp-config.php.

    You can, however, put the login details from that file in a separate file in your home directory(or whatever directory is above your root and non-accessibly by the web) and simply put an includes statement in your wp-config.php to include that other file.

    If I can find it, there is a way to move the wp-config file and add a file so WP can find wp-config in a sub-dir. Joomla does this but I don’t remember the details.

    If WordPress resides in a folder that is contained in your web-root folder (e.g. web-root/wordpress) then you can put the wp-config.php in your web-root folder and WordPress will use that. But WordPress won’t work if wp-config.php is outside your web-root folder.

    See bh_WP_fan’s suggestion if you desire to put the information somewhere else.

    Just as a note, whooami, while rough on the edges, is one of the GOTO GIRLS, when it involves security related issues.

    Found it! This should work for any file you want to move.

    The Joomla equivalent of wp-config.php is called configuration.php. You create a new wp-config.php with the code in that article in place of the real wp-config.php, in the site root. Your real wp-config.php is on another subdirectory, away from harm.

    Just as a note, whooami, while rough on the edges, is one of the GOTO GIRLS, when it involves security related issues.

    I’d have to agree with that. Whooami can dish out some punishment, but also offers a lot of useful advice and knowledge in security issues as well as many other issues. Some of the best advice I’ve seen on the forum has come from whooami.

    a_johnson: good link! I’ll just add that, in step three when it says to make sure the config file isn’t writable, although I don’t think it matters as much in WordPress as it does in Joomla, the permissions for this should be 444. Changing the permissions should also only be done after everything is finished and tested as working as, if they are changed too soon, you won’t be able to complete your edits on the file.

    @ whooami I think your response was an over reaction. You clearly don’t know how to respond to people who understand WP of varying degrees. The question was legitimate his subsequent reaction was well founded “really” and your respond “go ahead and do it” “I can’t make myself any clearer” reminds me of a baby throwing it’s toys out of a pram.

    You’d do well to be a bit more understanding and helpful.

    *blinks* Well this thread went downhill pretty quickly. Isn’t this the place for users of all capabilities should be able to get “support”? Maybe some of us had a bad day; it happens.

    Thank you @a_johnson for providing the link! It was rather straightforward and is one of the few “hacks” that worked for me right away (instead of slaving for three hours trying to find that one little [SPACE] entry that screws up all the coding, heh).

    If those of us with shiny new learners-permits can recognise that there might be a potential security flaw in having your usernames/passwords sitting in a php file, what happens when some stealth hacking guru decides to try to ef-ur-stuff-up?

    So yes, for fellow newbies/nubes, simply copy and paste the wp-config.php file into the root folder (the one that should have folder names such as: “www”); rename it if you wish, then create a new wp-config.php file to sit in the wordpress folder. This new file should only have one line:

    <?php include(‘../your-newly-renamed-wp-config-file.php’); ?>

    And this will hopefully ensure that no one can access your wordpress configuration info. Mind you, my knowledge of website security is lacking, so perhaps someone will knock me down an inch or two for trying.

    Stay tuned.

    Yep! Spoke too soon! So while this quick-fix works beautifully for the front end of your blog, it does nothing for the back-end. Ie. a lot of errors popped up.

    So instead of the one-liner (immediate entry above), the bottom part of the wp-config.php file that begins with: /** Absolute path to the WordPress directory. */ should stay in that file. DON’T MOVE IT.

    Also, the include line needs to be a little more literal instead of using the “../”. Your file linking should begin with something like <? php include(home/your-root-folder-name/your-newly-renamed-wp-config-file.php’);

    But don’t close with the ?> because you’ll have remaining coding below that needs to be accessed.

    So yeah, I just had one of those three-hours-of-looking-for-an-extra-“.” moments once more.

    Onto the next day!

Viewing 15 replies - 1 through 15 (of 17 total)
  • The topic ‘Delete wp-config.php or leave?’ is closed to new replies.