Support » Fixing WordPress » Not use DEFINE for db information?

  • Resolved billsaysthis

    (@billsaysthis)


    Is it possible to rewrite wp-config to not leave the information as plain text in a well-known file/location? This seems like an unnecessary security hole. Searching the codex and here doesn’t turn up any past discussion though apologies in advance if I missed it.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Michael Adams (mdawaffe)

    (@mdawaffe)

    Member

    I’d suggest reading through the (many) comments about (more or less) this issue from the wp-hackers mailing list:
    http://comox.textdrive.com/pipermail/wp-hackers/2005-April/thread.html

    Search that page for “Security Vulnerability found”, and you’ll find some pertinent information. Note the threading on that site is not perfect; the issue is spread over a couple different threads.

    I’m not trying to sidestep your question or to turn you away. I’m just pointing out some background. (And no apologies necessary).

    EDIT: There was a forum post about the specific (so-called) threat that wp-hackers list thread talks about. http://wordpress.org/support/topic.php?id=30721

    At least one mention of the topic I’m aware of here:

    http://wordpress.org/support/topic.php?id=16288

    If you’re that concerned, you could certainly rename/move the config file, but you’ll need to inform WordPress about it, which would involve editing quite a few files in the main and ‘wp-admin/’ directories.

    A modicum of protection: install WP in a subfolder named whatever you want the blog name to be (as in P O V, Whispers, Talespinner – the ones I have active at the moment). That’s one more minor layer of obfuscation between the greebs and wp-config.php.

    Sorry, I wasn’t even aware of the wp-hackers mailing list and am now highly amused that I posted this question just days after such a huge thread on the topic. Try not to be such a noob but what does it get you anyway 😉

    Moderator Michael Adams (mdawaffe)

    (@mdawaffe)

    Member

    No worries :)

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Not use DEFINE for db information?’ is closed to new replies.