Support » Plugins » Will protecting wp-config with .htaccess block plugin activation?

  • I’ve been designing websites for years but am still not great with actual coding so please bare with me…. I’m learning more about securing WP installs and wanted to add the following to .htaccess to secure my wp-config file:

    <files wp-config.php>
    order allow,deny
    deny from all

    But I’m thinking this would interfere with the way I’ve had my first plugin coded… let me explain…

    I am directing the development of my first plugin from a pre-written script that has it’s own installation file that usually needs you to hand enter the db details during installation to create the tables. During the WP plugin activation process the plugin writes the wp-config info to the scripts’ options.php file so the script can access the tables on demand.

    The script is located in: wp-contents/plugins/myscript/

    Q1: Will using the .htaccess command above stop my script from accessing the wp-config during activation?

    Q2: Is there a better way to get the script to use wp-config info?

    Your advice is greatly appreciated.

Viewing 7 replies - 1 through 7 (of 7 total)
  • opps… The title of this should read:

    “Will protecting wp-config with .htaccess block plugin activation?”

    As long as WordPress works, plugins will work. Plugins never include wp-config.php. WordPress does. Even when bootstrapping WordPress, you do not include wp-confg.php directly.

    I see no reason to “protect” wp-config.php in this way as long as .php files are actually processed when accessed through the web. wp-config.php outputs nothing, as long as this is the case.

    Put your wp-config.php in the parent folder, then it’s still found and automatically completely protected form web access, even if .php processing are disabled by a fatal misconfiguration.

    But as long as it’s readable it will not be protected form malware that executes on your server, as a theme or active plugin.

    What you are doing is adding an apache rule.

    So effectively what you have done is blocked anything going through apache, which accepts request over port 80, to that specific file only. Or if you are using different web server software, whatever it’s called.

    This won’t prevent anything which accesses the filesystem through any one of the other countless files as a part of the wordpress distribution, or 3rd party vendors from causing issues. So, any malware attempting to access your site through any other file, once they gain access to filesystem, they will have effectively circumvented your apache rule.

    The only time you would want to block access to a file over port 80 (which is the port which webservers such as apache use), is if the file accepts $_POST, $_GET or other variables from the web, making it a SQL/Shell/whatever attack vector, or in the case it handles $_FILE variables, a file system attack vector. The script itself would have to be not coded well, either not sanitizing the variables, or it otherwise would have to be a script which is resource intensive and when it is run, bogs down the server, which would mean it’s a possible denial of service attack vector.

    Did this help at all?

    With wordpress specifically, if you are under attack repetitively, it might be a wise move to block access to the entire administration section, and allow only specific people in, until the rest of the security can be figured out.

    On poorly configured shared servers, the larger issue might be with file permissions as alluded to in above posts. Should anyone breach any of your neighbors, if your files grant permissions for other groups on the server to access and write to your files, then that would be another way someone could circumvent the apache rule. Typically this should not really be a possibility, but people will share space in any number of strange ways. At the very least, if you are on a shared server, and are not confident that the host it set up right, make sure your file permissions do not allow anyone to write to the file except for the owner, which should be you.

    Granting other groups the ability to read your files, is okay. Granting other groups the ability to write to your files, that’s an issue. Your FTP program should allow you to set Read, Write, permissions.

    What has prompted you to block access to that file? Is it a file which is being tampered with or written to without your permissions?

    Q1: Will using the .htaccess command above stop my script from accessing the wp-config during activation?

    Q2: Is there a better way to get the script to use wp-config info?

    If you trust the files inside your wordpress distribution, then they absolutely by design must be able to read the files which are also a part of the same distribution.

    You might be interested in loading the WP-Config into global variable space using an Include_once command, as opposed to perhaps a file_get_contents command.

    In any event, there should be no real need to constantly generate code from “static” variables, which if I am correct, that’s what the wp-config file should be. “Static”, or non-changing variables, or hardcoded ones.

    What I can’t edit my posts after 40 minutes?

    I am the Law!


    Wow… Thank you for taking the time to reply in such depth! I think I’m understanding better how the parts relate and interact with each other.

    The original reason I was looking at restricting access to wp-config is my business partner attended a webinar on WP security after the WooThemes issue arose. They gave out a pdf of quite a long list of security measures to put in place to avert breaches… The one I mention above is one of them. I’m not taking everything written in the pdf at face value, I’m doing research on them before implementing… thus my question.

    Based on your answer, adding the above code to .htaccess will stop access through Apache but it only works to thwart one type of attack. Good to know 😀

    Thank you again for your help. And for your answer to my Q2… I’ll check into that further.



    Forum Moderator

    And now I’m going to show my ignorance…

    Knut Sparhell wrote: “Even when bootstrapping WordPress, you do not include wp-confg.php directly.”

    I’ve never heard “bootstrapping” used in this manner and even though I’ve tried to research what it means, I have not come up with a satisfactory answer. Could you please explain what the term “bootstrapping” means, especially in regards to WordPress?

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Will protecting wp-config with .htaccess block plugin activation?’ is closed to new replies.