How to deny access to your wp-config.php file under WordPress installation
06 Nov
Posted by SE as Security, Wordpress
|
Email This Post
|
Print This Post
wp-config.php is located in the main directory of your Wordpress installation and used by Wordpress to access the database.
This file includes your user id , password, and database name unencrypted.
Even though it is a .php file, meaning no one should be able to see it’s content from the browser, it just doesn’t make sense to me to keep it in the main folder without doing anything about it.
A good solution would be to update your .htaccess to deny access to it.
The most common use of .htaccess in Wordpress is setting custom permalink for SEO optimization.
However .htaccess should be more utilized to further minimize vulnerability of your site.
Here you can use the files directive to deny access to certain files. You can use this directive for any file on your website.
Just add the following to your .htaccess under the www directory:
# to protect wp-config.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>
Here “deny all” will deny everyone access to wp-config.php.
Another example to deny access to .htacces file itself:
# to protect the .htaccess file itself:
<Files .htaccess>
order deny,allow
deny from all
</Files>
To learn more about utilizing you .haccess for wordpress, check Josiah Cole’s post about having an almost perfect htaccess file for Wordpress. He lists over 10 directives that you can add.
Last Related Posts
7 Responses
sherif
November 11th, 2007 at 9:30 am
1Another file we need to make sure to block access to is: xmlrpc.php
Here you can just add one more file directive for xmlrpc.php to your .htaccess file.
Search Engine Optimization Direct » Blog Archive » How to deny access to your wp-config.php file under WordPress …
January 7th, 2008 at 8:56 am
2[…] cpwebhosting02 article is brought to you using rss feeds.Here are some of the top articles on search engine optimization.The most common use of .htaccess in Wordpress is setting custom permalink for SEO optimization. However .htaccess should be more utilized to further minimize vulnerability of your site. Here you can use the files directive to deny … […]
Egor
January 24th, 2008 at 10:18 am
3Hi, was searching Google for affordable web site optimization and your blog regarding How to deny access to your wp-config.php file under WordPress installation by Tdot-Blog looks really interesting for me.
I will definitely bookmark it and come back for more cool postings to read! Cheers!
Egor’s last blog post..I’ve Been Working Hard Lately!
Sherif
January 26th, 2008 at 10:17 am
4Hi Egor
Thanks for your comment.
After running into some issues and headache with wordpress security, I am really glad to know, that you will be able to know and better secure your wordpress site.
Sherif’s last blog post..2 Simple Steps to Hide Wordpress Info and Better Secure Your Site.
bass
February 26th, 2008 at 10:58 pm
5Hi,
for non Windows users: ‘wp-config.php’ is located in the public area, that’s mean can be accessed too by local users with telnet / rlogin service.
To prevent: you must login with telnet/rlogin client and do like this :
# chmod 600 wp-config.php
bass’s last blog post..Vista SP1 berbenturan dengan beberapa produk AV pihak ketiga
Jeremy Gadd
April 15th, 2008 at 2:37 am
6Many thanks for this and for help received through the comments, such as the need to deny access to the .htaccess file itself. I had never really considered that.
Are there other crucial files?
Sherif
April 15th, 2008 at 10:41 pm
7Hi Jeremy
Thank you for your comment. There are other steps you can use. I have listed more here in my blog and in my ebook.
Regards.
RSS feed for comments on this post · TrackBack URI
Leave a reply
Welcome ...
My name is Sherif Elsisi and on this blog I will share my knowledge, discovery and experience with hosting issues, Webmaster tools and resources.
About Me | Free blog setup | Affordable Web Hosting
Categories
Archives
Links
Sponsors
Calendar
Most Popular Posts
Latest Posts
Your Testimonials
News Headlines
Article Headlines
Web Hosting
Wordpress
Most Commented
Tdot - Blog hosted by TdotHost | BloggingPro theme by: Design Disease | Hosting and Blogging Guide is powered by WordPress