Title: wp-config security? Last modified: August 21, 2016 --- # wp-config security? * Resolved [forboding-angel](https://wordpress.org/support/users/forboding-angel/) * (@forboding-angel) * [11 years, 10 months ago](https://wordpress.org/support/topic/wp-config-security/) * I really liked this right up until the part where I saw that it had to have the entire wordpress install in git, whereas for the sake of security (and ease of use) I would vastly prefer only the theme folder be in git. * So, how does one keep wordpress secure if the github repo is a public repo? * [https://wordpress.org/plugins/revisr/](https://wordpress.org/plugins/revisr/) Viewing 12 replies - 1 through 12 (of 12 total) * Plugin Author [Expanded Fronts](https://wordpress.org/support/users/expandedfronts/) * (@expandedfronts) * [11 years, 10 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040480) * Hello, * You can configure files to be ignored from the repository (and Github) by adding the files or directories to the .gitignore settings on the plugin settings page. * For wp-config, simply add this line (paths are relative from the root repository folder/WordPress installation) : wp-config.php * And save the settings. * Additionally, the wp-config file can also be saved in the directory directly above the root of the WordPress installation, which would prevent it from being part of the repository at all. * Plugin Author [Expanded Fronts](https://wordpress.org/support/users/expandedfronts/) * (@expandedfronts) * [11 years, 10 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040481) * Also, if you wanted to only track the wp-content/themes/ directory, you could add something like the following to the gitignore settings: * /* /*/ !/wp-content/themes/ * Thread Starter [forboding-angel](https://wordpress.org/support/users/forboding-angel/) * (@forboding-angel) * [11 years, 10 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040556) * Ahh, thanks for that. I was wondering if I could just do a gitignore like that and get away with it. Just seemed odd that the plugin needed the repo to contain the entire install. Apparently I read the faq/install instructions wrong as it sounded like that was a requirement. * [headonfire](https://wordpress.org/support/users/headonfire/) * (@headonfire) * [11 years, 10 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040557) * @Forboding Angel, it might be a good idea to keep the whole installation under Git. For example, if your site gets hacked and your core files are modified ( added that usual encoded malicious code or new files) you can view the diffs and clean all infected files. Or just roll back to clean commit. That’s what I thought the first time I saw this plugin. * Thread Starter [forboding-angel](https://wordpress.org/support/users/forboding-angel/) * (@forboding-angel) * [11 years, 10 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040558) * [@igor](https://wordpress.org/support/users/igor/), you should never be making changes to core though, so as long as you have your theme in git and your database backed up, you should be golden to just dump clean core files over the hack. * All this plugin does is pull, from what I understand, so you would not get a diff of the site files vs what is in git, as I understand it. * It’s more for viewing the diffs between commits to git. * Plugin Author [Expanded Fronts](https://wordpress.org/support/users/expandedfronts/) * (@expandedfronts) * [11 years, 10 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040569) * @Forboding Angel- * You bring up some good points, and I definitely encourage you to use the plugin however you see fit to make sure it works best with your workflow. * With that being said, Ihor brings up a good point, and that is that Revisr will show you at a glance if those core files have been modified. While you can simply upload the latest core files over your entire installation, you won’t necessarily know when you need to do it since those files aren’t being tracked. * I’ve seen plenty of WordPress sites (not as much recently, but still some) where the hack may be hard to find (such as a hacked 404 page with a small bit of encoded Javascript). Since you are tracking the 404 page as it is in your themes directory, it is easy enough to remove the _result_ of the hack, but often there will be other malicious files uploaded to other directories on the site, which may or may not be in the wp-content folder. * [headonfire](https://wordpress.org/support/users/headonfire/) * (@headonfire) * [11 years, 10 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040570) * @Forboding Angel yep, you’re right. Of course I never alter core files. And btw even my own ‘starting kit’ is a git repo with WP core as Git submodule. * Thread Starter [forboding-angel](https://wordpress.org/support/users/forboding-angel/) * (@forboding-angel) * [11 years, 10 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040575) * [@expandedfronts](https://wordpress.org/support/users/expandedfronts/) * > With that being said, Ihor brings up a good point, and that is that Revisr > will show you at a glance if those core files have been modified. * No, you wouldn’t, not unless the plugin does diffing vs it’s local copy. From what I read I’m pretty sure it shows diffs that are displayed in github, not diffs that are local working copy vs master. Amirong? * Plugin Author [Expanded Fronts](https://wordpress.org/support/users/expandedfronts/) * (@expandedfronts) * [11 years, 10 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040576) * Yes, Revisr shows diffs for the local repository against whatever branch is checked out. * So if you pull master and make a bunch of changes to the local repository, you’re viewing the diffs for those local changes. You could also create a local branch independent of Bitbucket or Github and commit all of your changes to that branch, and go back and view previous commits and diffs without ever pushing to a remote. * Thread Starter [forboding-angel](https://wordpress.org/support/users/forboding-angel/) * (@forboding-angel) * [11 years, 10 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040601) * Nice! That’s very cool. Thanks for the info. * Thread Starter [forboding-angel](https://wordpress.org/support/users/forboding-angel/) * (@forboding-angel) * [11 years, 9 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040669) * For anyone else reading this: * /* /*/ !/wp-content/themes/ * Will not work. You can not do a multilevel ignore in gitignore. SO then you’re stuck with trying to do silly stuff like * * */ !wp-content/ wp-content/* !wp-content/themes/ wp-content/themes/* !wp-content/ themes/my-theme-name * Which does not appear to work either. * Thread Starter [forboding-angel](https://wordpress.org/support/users/forboding-angel/) * (@forboding-angel) * [11 years, 9 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040670) * Ok, after a bit of tinkering, i finally got this to work: * # gitignore all but my theme folder !wordpress/ wordpress/* !wordpress/wp-content/ wordpress/wp-content/* !wordpress/wp-content/themes/ wordpress/wp-content/themes/*! wordpress/wp-content/themes/my-theme/ wordpress/wp-content/themes/my-theme/.DS_Store wordpress/wp-content/themes/my-theme/*/.DS_Store wordpress/wp-content/themes/ my-theme/*/*/.DS_Store wordpress/wp-content/themes/my-theme/.sass-cache wordpress/ wp-content/themes/my-theme/node_modules Viewing 12 replies - 1 through 12 (of 12 total) The topic ‘wp-config security?’ is closed to new replies. * ![](https://s.w.org/plugins/geopattern-icon/revisr_ecf0f1.svg) * [Revisr](https://wordpress.org/plugins/revisr/) * [Frequently Asked Questions](https://wordpress.org/plugins/revisr/#faq) * [Support Threads](https://wordpress.org/support/plugin/revisr/) * [Active Topics](https://wordpress.org/support/plugin/revisr/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/revisr/unresolved/) * [Reviews](https://wordpress.org/support/plugin/revisr/reviews/) * 12 replies * 3 participants * Last reply from: [forboding-angel](https://wordpress.org/support/users/forboding-angel/) * Last activity: [11 years, 9 months ago](https://wordpress.org/support/topic/wp-config-security/#post-5040670) * Status: resolved