How to limit access to wp-config.php

  • Resolved so

    (@so)


    16 years, 6 months ago

    Hi, I want to restrict access to the wordpress admin and config files using htpasswd/htaccess, whithout users having to know or enter this passwd when browsing the blog or posting comments. I want this especially so no one can but an admin user can read the wp-config.php, since this file has mysql username and password in (horror …) *plaintext*

    But the way wordpress files are organized, once I restrict access to the top folder, users cant read the blog without knowing the password.

    Any ideas on the best way to disllow access to wp-config.php, or if this is not possible, encrypt the mysql username and password?

    Regards

Viewing 4 replies - 1 through 4 (of 4 total)
  • moshu

    (@moshu)

    16 years, 6 months ago

    Have you ever tried to access your wp-config file by typing its location in your browser…? Just wondering.

    whooami

    (@whooami)

    16 years, 6 months ago

    so,

    thats not what you want to do.

    do this, if you insist on doing something similar to that:

    <Files "wp-config.php">
  Order Deny,Allow
  Deny from all
</Files>

    That will prevent attempts to open the file in a browser.. which like Moshu said is a fruitless endeavor anyway.

    Thread Starter so

    (@so)

    16 years, 6 months ago

    Thank you very much for your replies. Being new to PHP, Id no idea an individual PHP file wont do anything unless its requires have been execuded in order. Cool. I feel safe(er) but still dont like the db username and passwd being stored in plaintext. Wish there was some way or a plugin to encrypt and ecript it on demand and make it available to other modules that require it.

    ivovic

    (@ivovic)

    16 years, 6 months ago

    So, PHP would need to be broken on your server, in order to ever display that file as plain text.

    Whenever the file is requested, it’s passed through PHP before being output, and when that happens, it’s processed, not directly sent to a browser.

    If you are really concerned then what whoami posted is definitely the only additonal thing you should be doing – and protects you in the case that PHP for some reason goes belly-up, and your web server decides to let you “download” the file, or display it as text/plain

    This isn’t particularly likely, unless there’s something else seriously wrong too, at which point you can’t be 100% sure that htaccess will work either, I guess.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘How to limit access to wp-config.php’ is closed to new replies.