[resolved] WordPress giving too much info to end users on DB error (15 posts)

  1. AK Ted
    Posted 2 years ago #

    My host recently had a short MySQL outage and the apparently stock error page that was shown to everyone visiting my site during this minor hiccup (see sanitized image) shows way too much information to them!

    It shows my full, private database host - something that should only be known to myself (or those I explicitly choose to tell) and my host. It also shows - twice - my full, shared-hosting path to wp-db.php. This is also something that should be known only to myself (or those I explicitly choose to tell) and my host.

  2. riversatile
    Posted 2 years ago #


    You should check with your host provider what is the Display Error Level settings for PHP Errors.

    More info : http://php.net/manual/en/errorfunc.configuration.php#ini.error-reporting

    You will have to decrease the PHP Error Level to prevent users to get to much explicite error messages.

  3. AK Ted
    Posted 2 years ago #

    Would my PHP error level affect the error page that is clearly generated by WordPress?

  4. riversatile
    Posted 2 years ago #

    ...oups, you're right.

    The reason why WordPress is unable to establish a database connection can vary. It could be that your database login credentials are wrong or have been changed. It could be that your database server is unresponsive. It could be that your database has been corrupted

    I suggest you to read How to Fix the Error Establishing a Database Connection in WordPress

  5. AK Ted
    Posted 2 years ago #

    Thanks for the help, riversatile. I'm not trying to diagnose a DB problem. I'm pointing out what I consider to be a serious breach of my site's security because of a default WordPress error message.

    As mentioned in my original post, no one, other than those I choose, should be able to see the underlying file structure of my site and its full DB host address.

    As an example, with GoDaddy, the shared hosting path for my public root is /home/content/zz/xxxxxxxx/html/. This was shown twice on the error page. xxxxxxxx is a unique number tied to my hosting account. zz is a number that (I assume) represents a grouping of different accounts. No one on the Internet should be able to see anything above html.

    In addition, a typical GoDaddy DB host address is my_database_name.db.xxxxxxxx.hostedresource.com. A malicious person, maybe someone who simply dislikes something I wrote on my site, might be able to DDOS my database by simply trying to connect to it with the wrong credentials. I'm not sure what GoDaddy or any other host would do if someone made millions of attempts to connect in a short amount of time. They might be able to ignore it, or they might flag my account - I have no idea.

    Think of your database host like your credit card number. While it's not critical for you to keep it secret from everyone, you only want those you trust, e.g., business you write a check to. You don't hand it out to strangers on your business card.

  6. riversatile
    Posted 2 years ago #

    If you have this kind of error (by WordPress), this means that WordPress accesses successfully your DB, but was not able to load certain data in the DB (which is not normal). This means your data could be corrupted. This kind of thing never occured on my site.
    So it's necessaire to fix errors in your DB.

    First thing you should do is to make sure that you are getting the same error on both the front-end of the site, and the back-end of the site (wp-admin). If the error message is the same on both pages “Error establishing a database connection”, then proceed onto the next step. If you are getting a different error on the wp-admin for instance something like “One or more database tables are unavailable. The database may need to be repaired”, then you need to repair your database.
    You can do this by adding the following line in your wp-config.php file:
    define('WP_ALLOW_REPAIR', true);
    Once you have done that, you can see the settings by visiting this page: http://www.yoursite.com/wp-admin/maint/repair.php

  7. esmi
    Forum Moderator
    Posted 2 years ago #

    @riversatile: I donlt think the OP is trying to fix an error. as I understand it, AK Ted is pointing out that, in such situations, the server architecture is being revealed by the error messages.

    @AK Ted: The upper error/warning can be suppressed at the server level. I can't recall if GoDaddy allow you to create account/site specific php.ini files. If so, then you can probably suppress warnings yourself.

  8. AK Ted
    Posted 2 years ago #

    @riversatile: Again, this post is not about a DB problem that I'm having. Please re-read the original post. It was a temporary glitch of my host. It is no longer occurring. Nothing had changed on my site so I must assume that my DB hosting server was down.

    My problem is the default WordPress behavior of passing out my personal information to the world.

    I'm not trying to sound rude, but please stop posting off-topic discussion to this thread. If you think I'm mistaken in my assertions, by all means feel free to say so - with reasoning to backup your opinion. But your off-topic replies (and my responses) have changed the status of this post from unanswered to answered, which means it will be seen by significantly less people.

  9. AK Ted
    Posted 2 years ago #

    @esmi: Thanks for the heads up. GoDaddy will allow me to do things in php.ini like turn off display_errors. Would that stop the WP default error page from appearing to users browsing my site?

  10. esmi
    Forum Moderator
    Posted 2 years ago #

    Turning off warnings will suppress the upper message but not the main lower message.

    I tested a db issue on my dev server and I only saw the server name/ip in the lower message, so I can only assume that the amount of detail in the message is server dependant. You might want to bring this up with GoDaddy to get their take on the situation. To that end, I've tagged this topic for their attention as their support people do check these forums occasionally.

  11. AK Ted
    Posted 2 years ago #

    Thank you, esmi. The upper message is because I have WP_DEBUG set to true. This is actually my live testing/staging site, so I need the PHP errors shown. But since my "real" live domain and my testbed are using the same shared account, I assume the error page (minus the upper message) would be shown to end-users of the live site as well during any future DB server outages.

    I will bring it up with GoDaddy, but I think I'll also look into hacking my wp-includes/wp-db.php (told to me by someone on TRAC that the error message is generated from). I really am unnerved by the fact that what I consider sensitive information is being presented to all comers.

  12. @AK Ted: what kind of hosting package are you on? Shared or VPS? That will determine how much configuration you can do and what is out of your control re: database warning messages and displayed errors.

    In addition, a typical GoDaddy DB host address is my_database_name.db.xxxxxxxx.hostedresource.com.

    Everyone knows those kind of details about GD. Search these forums; that's one of the reasons they get hacked so often.

  13. AK Ted
    Posted 2 years ago #

    @songdogtech: Economy shared hosting. And yeah, while the format of GoDaddy is well-known, the my_database_name and xxxxxxxx still should be kept private.

    Someone with a grudge could try to DDOS a known DB host address. As I said earlier, I don't know what the ramifications of that are.

  14. AK Ted
    Posted 2 years ago #

    To any concerned: I was informed on TRAC that the full error message only displays on a WP site that has WP_DEBUG set to true (rare). Case closed, as far as I'm concerned.

    Off-topic: my next windmill to tilt at is re: these text inputs/textareas with spell-check. If someone can write JavaScript that can highlight code syntax, surely the browser makers can make the spell-check ignore hrefs and other attributes in tags!

  15. Economy shared hosting...

    As the old saying goes, "You pay your money and you take your chances."

    If you're "really ... unnerved by the fact that what I consider sensitive information is being presented to all comers," 1) realize what WP_DEBUG does, and 2) look at the differences between cheap shared hosts and a server you admin and secure yourself.

Topic Closed

This topic has been closed to new replies.

About this Topic