Title: Question about security Last modified: August 20, 2016 --- # Question about security * Resolved [Architect](https://wordpress.org/support/users/swotong/) * (@swotong) * [13 years, 9 months ago](https://wordpress.org/support/topic/question-about-security/) * Hi, * It seems quite easy for a malicious theme or plugin to copy my wordpress files on my server and email them back to the bad guy, so I just came up with these questions: * Inside wp-config.php, my database information can be read easily since they are just plain text, can people get access to my database remotely if they get these information? (I’m using hostgator and I didn’t allow my database for remote access.) * And is my ftp info(account & password) stored in any file as plain text too in the wordpress folder? * I’m mostly wondering if installing malicious theme/plugin may risk my password either for my wordpress account or ftp account. To me that’s more serious than having my site down temporarily. * Thank you : ) Viewing 4 replies - 1 through 4 (of 4 total) * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [13 years, 9 months ago](https://wordpress.org/support/topic/question-about-security/#post-2862008) * The wp-config.php is only readable by someone already logged into your server( not WP, the server), so it’s not actually ‘readable.’ * That said, never use your FTP username and password in the wp-config.php file, [make a stand alone SQL account](http://halfelf.org/2012/stand-alone-sql-account/) instead. Much safer so that if (because yes it can) a bad plugin/theme reads that file and transmits the data back home, you’re safe. * Themes from wordpress.com are generally safe. Plugins are more of a risk (we don’t monitor them the same way) and if you find one doing that, please email plugins at wordpress.org ASAP and we’ll kill it with fire. * Thread Starter [Architect](https://wordpress.org/support/users/swotong/) * (@swotong) * [13 years, 9 months ago](https://wordpress.org/support/topic/question-about-security/#post-2862027) * Hi Ipstenu [@ipstenu](https://wordpress.org/support/users/ipstenu/) ~ * Thanks for the reply. I always use ‘QuickInstall’ to install a new wordpress therefore I never need to set up those SQL account myself. It creates a SQL account with random but complex password which seems pretty good in terms of safety. * For the FTP part, I don’t remember ever typing in any information about it when using wordpress. Does wordpress need my FTP info to work? Or is it just for some old version of wordpress? * Moderator [Ipstenu (Mika Epstein)](https://wordpress.org/support/users/ipstenu/) * (@ipstenu) * 🏳️‍🌈 Advisor and Activist * [13 years, 9 months ago](https://wordpress.org/support/topic/question-about-security/#post-2862050) * It only needs your FTP info when upgrading or installing plugins/themes, and that depends on how your ftp security is set up. My Dad’s site I never need to put in FTP details. Mine I always do. * You _can_ hard code that into the wp-config file, but really I would never do it. * Thread Starter [Architect](https://wordpress.org/support/users/swotong/) * (@swotong) * [13 years, 9 months ago](https://wordpress.org/support/topic/question-about-security/#post-2862081) * Ok, looks like my FTP is safe the way it is for now~ * Thanks a lot~~ Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘Question about security’ is closed to new replies. * In: [Everything else WordPress](https://wordpress.org/support/forum/miscellaneous/) * 4 replies * 2 participants * Last reply from: [Architect](https://wordpress.org/support/users/swotong/) * Last activity: [13 years, 9 months ago](https://wordpress.org/support/topic/question-about-security/#post-2862081) * Status: resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics