WordPress.org

Support

Support » How-To and Troubleshooting » Security of wp-config.php

Security of wp-config.php

  • Hello all,

    In the wp-config.php file in the main directory of my blog I openly enter the username & password of my WordPress MySQL database. What are the security considerations of this method ? If indexing of the blog directory is disabled (i.e. surfers can’t just open any file they wany), am I safe ?

    Can’t anyone just open …/blog/wp-config.php and see the private details ?

Viewing 8 replies - 1 through 8 (of 8 total)
  • Chris_K
    Member

    @handysolo

    Try and browse to it. 🙂 http://yourdomain.com/blog/wp-config.php

    I can’t browse to it, but this is the most trivial option. I wonder what prevents more experienced crackers than me to access it ? Do they have to know my password or can it be overcome somehow ?

    Mark (podz)
    Support Maven

    @podz

    PHP is executed on the server before it gets sent to the browser. I have posted my url to it before many times and the fact that tens of thousands of blogs use WordPress is testament to it’s effectiveness.

    What you need to is have an effective password:
    CEMRFt+/bPy7UWhzd06I
    or something similar is good. Single words or even double words are very very poor.

    Your weakest link is not WP – it’s your password 🙂

    Not a new topic…

    http://wordpress.org/search/security+wp-config.php?forums=1

    Here’s a recent thread which discusses an option available to WP users (depending how your server is set up) if you’re *really* concerned about this:

    http://wordpress.org/support/topic/64882

    Keep this in mind though: if someone can read your wp-config content, you have a larger problem to deal with.

    the mighty G search tool has come up with code-search which will dig out your php file codes and show it to the www

    so even if you see nothing while pointing to the file the big G will dig them out for you with their codesearch, secure your cofig file now boys and girls.

    responding again, since you did as well:

    what you are implying is absolute crap, kenl77, and I challenge you to show a single instance where a wp-config.php that is currently being used for a live site is being displayed in plain text via Google.

    Actually, you don’t need big G to expose the contents of your PHP file. If the server goofs up and the PHP server stops responding, you could get into a situation where the content of the PHP file is shown as plain text. Not very likely, but still a possibility.

    zzz.. its very rare that the PHP interpreter dies. I’m well aware of the possibility, but guess what — WP sites are more likely to be compromised by a host of other methods, none of which rely on the off-chance that someone will cruise by while PHP is handing out text files.

Viewing 8 replies - 1 through 8 (of 8 total)
  • The topic ‘Security of wp-config.php’ is closed to new replies.