It’s php – the server sees it, not the browser. Honest 🙂
OK, first of all apologies for these noobish questions… but… since WordPress is popular, many people will know which file (namely, wp-config.php) and where it would be located… can’t they just get they file easily that way?
Hmmmm, I see your point, but for some reason gives me a squimish feeling that someone would be able to mine that info (maybe by retrieving the file?)
Thanks for the responses podz!
are you new to the web? if you fear that, then you’ll need to do some research into your hosting account. you should understand the dangers that await you before using anything on the web including wordpress.
No, not new to the web, but trying to understand MySQL databases and how they work (new to MySQL)… Knowledge is Power… right?
There are some minor security implications, but no real way to get around them short of having your own server.
With shared hosting (unless it’s been configured by highly competent professionals, which I’ve never seen on a shared hosting server) anyone else with an account on that server can access your files. It’s that simple…also, since they have an account on the same server, they can access your MySQL database with the password in the file. Since the web server process has to be able to read the file to display your blog, generally every other user is able to as well. Sometimes changing the group of the file to the same group the web server process runs as (usually nobody or www-data), and then chmodding it to 750 will work, but often it does not.
The other thing is that even if I were to somehow obtain your MySQL details, I wouldn’t be able to connect to (assuming it’s properly configured) the server since the MySQL server wouldn’t be exposed to the network. I’d need an account on the server to do that. Fact is, though, that the PHP is parsed server-side and unless there are ‘echo’ statements in it echoing your database details, it’s not going to output anything whatsoever to a user on the internet.
For most, though, these are non-issues. Most people on shared hosting aren’t knowledgable enough to attempt an attack (not to mention don’t care). The only way to be assured of your security is to have full control of the server, period. The happiest medium for most users is a virtual private server or UML session, but the cost is significantly more than shared hosting, and they take some *nix skills to manage.
error404 made some good points.
On shared hosting, you are fairly vunerable to other users getting your stuff – but, like he said, none care to or have the skill to.
However, one thing left out so far is that if PHP stops processing all of the sudden for whatever reason, yes your pass/login will show up like a text file.
However, the chances of this are extremely low – if PHP parsing is gone, it’s more likely than not that the whole server is down too. 🙂
In case you want that extra bit of security though, most servers are set up so that you log in via FTP, and then change to your webroot folder (usually called “public_html” or “www”).
If you have this setup, you can place the file in that first directory and then
in place of the user/pass in the wp-config file. Since no one (from the web) can access http://www.yourserver.com/../login.php you are very safe from it being revealed upon slim chance of PHP showing as text.
But like said before, the security concern is very minimal, and not even close to worth the effort.Anonymous
Thanks for the reposnses everyone!
- The topic ‘Security Issues’ is closed to new replies.