Permissions settings, wp-config.php possible locations

  • Abner999

    (@abner999)


    13 years, 3 months ago

    WP version is 3.04, host is FatCow, OS is Vista

    Two issues:

    1) Conflicting permission settings are recommended for wp-config.php. Which are correct? See below.

    2) Given constraints of FatCow accounts, what is the best location for wp-config.php? See below.

    First issue

    Per instructions at this link (http://codex.wordpress.org/Hardening_WordPress) I set the permissions for wp.config.php to 700 from the default 750 setting. But then in a section on forcing SSL for protection of wp-config.php here ( http://codex.wordpress.org/Administration_Over_SSL) we are told to set this permission to 400 or 440 as follows

    “You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).”

    So, what is the proper setting, 700, 400, or 440? And what are the effects of those settings?

    Second issue

    Given the constraints of a) FatCow (my host), and b) my requirements and the apparent limitations of the WordPress SSL forcing options, what is the most secure location for wp-config.php?

    a) FatCow seems to allow me to place the file either in the root, where it is by default, or in an existing folder or a new folder under the root.

    b) More constraints arise from the particulars of my requirements and what appear to be limitations on the options available for SSL forcing. Please understand that at present I believe that I need to continue to allow http:// access for logins, which if they occur, will hopefully occur via proxy — so I cannot simply protect wp-config.php by forcing SSL access for admin sessions, because, according to the instructions, only two options exist for SSL forcing: a) all logins; and b) all logins plus admin session — there seems to be no option for SSL forcing for JUST admin sessions. Given those conditions, it appears that my best option is to relocate wp-config.php out of the root directory.

    Will it work if wp-config.php is moved to one of those subfolders of root? It appears this is my only alternative to the root directory at FatCow. The instructions do not seem clear to me on this point and I don’t want to break my installation.

    Again, here are the instructions I’ve found at (http://codex.wordpress.org/Administration_Over_SSL).

    You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder. Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).”

    Thanks!!!

Viewing 1 replies (of 1 total)
Viewing 1 replies (of 1 total)
  • The topic ‘Permissions settings, wp-config.php possible locations’ is closed to new replies.