Support » Requests and Feedback » Security question about wp-config.php

  • I’m very new to PHP but I’ve been taught that files like wp-config.php which contain database passwords etc. should not be stored in the publicly-accessible directory heirarchy.
    If PHP stopped running on my web host, and you tried to run wp-config.php in your browser (and lets face it, every hacker and his dog knows that all WordPress installations have one) wouldn’t the browser display it as a plain text file ?
    Should files like that be moved above the public heirarchy and included ? That way if PHP disappears, all you’d see of wp-config.php is an include line.
    Am I missing something here through my lack of PHP experience or is WP cleverly crafted to avoid this kind of issue ?

Viewing 9 replies - 1 through 9 (of 9 total)
  • Not sure about the security side of it all but have you implemented this technique with success?




    ryanfitzer, you can include files that exist out your webroot, that’s not limited to php, either, its done with sensitive perl scripts as well.

    As for the original question — I cannot actually tell you what would happen IF the php interpreter failed and you had the config in the parent directory (for instance), primarily because Ive actually never seen or read where someone has had a similar scenario occur.

    I do know Ive done just that with phpBB configs before and things worked just fine 🙂

    I know this is possible, my interest was if TheAuthor was able to use this technique, disable php and then test the security issues with success? I would like to know. I see a lot of posts about people being hacked.

    Mark (podz)


    Support Maven

    People are usually ‘hacked’ because:
    – of a server-side script
    – they have a very poor password

    I don’t recall any post here in over 2.5 years where php failure has even happened. That’s not to say it can’t happen but it’s not been reported.
    There have been a couple of posts about this in the past but I forget the outcome.

    Thanks for the all replies. I’ve moved the four define db… lines into their own php file above the public heirarchy and put an include line into wp-config.php. WP still works fine so far. I always use this technique for PHP’s on my site which need to access my MySQL database.
    I know it’s very unlikely that my web host would allow my website server to be available when there was a problem with PHP but I like to cover all the bases that I can and this particular issue has been shouting at me since I installed WP two days ago 🙂
    The technique is advocated by Kevin Yank at SitePoint in his book “Build Your Own Database-Driven Website Using PHP & MySQL” as an absolute must. But it could just be that he’s as paranoid as I am.

    Moderator Samuel Wood (Otto)

    (@otto42) Admin

    You’re basically correct, but the webserver config would have to actually change in some way for PHP to “fail” in that manner.

    Personally, I just run my database on a non-public port, so you wouldn’t be able to connect to my DB even if I told you exactly where and how. The port is blocked at the firewall. The webserver can connect, because it’s behind the firewall and has an exposed port through it, but the DB does not.

    Well, don’t forget that most MySQL servers only allow access from a certain list of IP(s), so even if they got your MySQL details, there’s not much they could do with them. 😉

    My MySQL server is setup the way Otto42 says – only scripts running from my host’s servers can access it. So I can’t use tools like PHP-Administrator – my host provides a browser-based admin program instead.

    So in fact, even if my db details did get displayed due to a PHP-failure, the only people it would be of use to are the other website-owners whose sites are hosted on the exact same server as mine.

    And as there is no way for anyone to determine who else is sharing each server, perhaps I’ve been worrying unnecessarily.

    I share your caution, TheAuthor, and it generates unease in my little paranoid heart to see any confidential data at all in the public area of my site. Since I installed WP for the first time yesterday afternoon, this has been a niggling concern.

    Whilst I take on board the reassurances posted here by other contributors, I feel that some unforeseen circumstance over the years could change our understanding of what is secure and what is not. I prefer to take no chances and therefore I am moving the confidential connection data to a secure area above my public pages.

    Thank you for reminding me of Kevin Yank’s book, which I looked up p. 171. Like you, I am not competent in PHP but I can follow the gist of a piece of code, having been a programmer in my youthful years. I have copied your solution.

    Just wondering if there is also an alternative method using .htaccess?

Viewing 9 replies - 1 through 9 (of 9 total)
  • The topic ‘Security question about wp-config.php’ is closed to new replies.