Support » Fixing WordPress » recovering the WordPress Site’s Database Password – and hardening it

  • hello dear experts,

    today i want to discuss some wordpress-hardening-ideas: how to recover the WordPress Site’s Database Password: the steps and the question of hardening.

    the steps:

    – Log in to the Account Control Center
    – Navigate to your WordPress wp-config.php file and click it.
    – In the top navbar, click Edit.

    see the entry for the db-passwd.

    but what about the “Hardening WordPress” page of the Codex: the page does contain a section on “Securing wp-config.php”. There some hardening ideas were discussed: The hardening-ideas and concepts include

    a. changing the permissions on files to 440 or 400.
    b. moving the wp-config file one directory up from the root (only if the server configuration allows for that process)

    furthermore: Of course there seeems to be some additional danger in having a file with the password like this; Especially if someone gets access to the server itself. But at that point the intruders already are in your server. Above all: to take all the considerations in account we can say: you don’t have much of a choice. the alternate means of configuring WordPress are only a few.

    to take into consideration: b. “moving the wp-config file one directory up from the root” (only if the server configuration allows for that process) To discuss the case for keeping the config file one level up from the web root-level:

    – what if the intruder kill php but left apache running.
    – in this case everyone that has the ability to come to the homepage was being offered index.php as a downloadable dataset. This is pretty dangerous.
    – conclusio: all the guys who knew that this site in question is a WordPress-site could have requested wp-config.php, and gotten it (since this file is now in the web-root).

    To finalize this intrusion idea: At this point the intruders would only be able to use those DB credentials. If some one would allow remote MySQL-connections this could be very dangerous.

    One can lock all down as much as one can, at the end we have to say this is how WordPress is built. What bout the idea of keeping the config out of sight, why not do it?

    what do you think about hardening…!? I look forward to a fruitful discussion

    have a great day

Viewing 1 replies (of 1 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Plugin Review Team Rep

    @say_hello I’m going to close this post because while we understand your desire to have a discussion, the support forums aren’t really the right place.

    What IS the right place? Good question. And the problem here is that there isn’t a single answer that will work for all (or even most) WordPress installs.

    Just to touch on one of your examples, if an intruder already got into your server to kill PHP and leave Apache running, your issues are so much more than WordPress can even attempt to help you with.

    What bout the idea of keeping the config out of sight, why not do it?

    The short answer? Not all web hosts can do it. They SHOULD, and we certainly encourage it, but you’ve got to have the config file somewhere that WP can talk to it, and it’s always going to be the weak link.

    I would recommend you come on over to Slack and join in the new core contributors chat – https://make.wordpress.org/core/tag/new-contributors/ has a list of some of the older talks. That would be a great starting place for you 🙂

Viewing 1 replies (of 1 total)
  • The topic ‘recovering the WordPress Site’s Database Password – and hardening it’ is closed to new replies.