[wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default

Liam Gladdy liam at storm-consultancy.com
Thu Dec 15 09:00:46 UTC 2011

Hey everyone,

Just joined this list and wanted to say hey :) I'm Liam, a web dev and
UX guy in the UK working for Storm Consultancy - we do a lot of our
projects in wordpress and will be releasing all our internal plugins
to the community after christmas.

I have a suggestion, too.. Is there any reason why, when wordpress
writes its rules to .htaccess, it doesn't also write the security
protection to deny all access to wp-config.php? Obviously, for the
most part this isn't needed, but this morning media temple had a
catastrophic configuration change which lead to the PHP handlers not
being registered, and all PHP files being downloaded as plain text on
one of their clusters.

If wordpress wrote a deny rule to .htaccess, this would negate that
event opening access to database passwords.

I'd suggest something along the lines below are added to the htaccess
file by the wordpress installer:

<files wp-config.php>
order allow,deny
deny from all

Thanks, and have a great upcoming holiday :)

Liam Gladdy

More information about the wp-hackers mailing list