Support » Fixing WordPress » Not use DEFINE for db information?

  • Resolved billsaysthis


    Is it possible to rewrite wp-config to not leave the information as plain text in a well-known file/location? This seems like an unnecessary security hole. Searching the codex and here doesn’t turn up any past discussion though apologies in advance if I missed it.

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Michael Adams (mdawaffe)



    I’d suggest reading through the (many) comments about (more or less) this issue from the wp-hackers mailing list:

    Search that page for “Security Vulnerability found”, and you’ll find some pertinent information. Note the threading on that site is not perfect; the issue is spread over a couple different threads.

    I’m not trying to sidestep your question or to turn you away. I’m just pointing out some background. (And no apologies necessary).

    EDIT: There was a forum post about the specific (so-called) threat that wp-hackers list thread talks about.

    At least one mention of the topic I’m aware of here:

    If you’re that concerned, you could certainly rename/move the config file, but you’ll need to inform WordPress about it, which would involve editing quite a few files in the main and ‘wp-admin/’ directories.

    A modicum of protection: install WP in a subfolder named whatever you want the blog name to be (as in P O V, Whispers, Talespinner – the ones I have active at the moment). That’s one more minor layer of obfuscation between the greebs and wp-config.php.

    Sorry, I wasn’t even aware of the wp-hackers mailing list and am now highly amused that I posted this question just days after such a huge thread on the topic. Try not to be such a noob but what does it get you anyway 😉

    Moderator Michael Adams (mdawaffe)



    No worries :)

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Not use DEFINE for db information?’ is closed to new replies.