[wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default

Mike Little wordpress at zed1.com
Thu Dec 15 17:10:42 UTC 2011

On 15 December 2011 09:00, Liam Gladdy <liam at storm-consultancy.com> wrote:

> I have a suggestion, too.. Is there any reason why, when wordpress
> writes its rules to .htaccess, it doesn't also write the security
> protection to deny all access to wp-config.php? Obviously, for the
> most part this isn't needed, but this morning media temple had a
> catastrophic configuration change which lead to the PHP handlers not
> being registered, and all PHP files being downloaded as plain text on
> one of their clusters.
> If wordpress wrote a deny rule to .htaccess, this would negate that
> event opening access to database passwords.
> I'd suggest something along the lines below are added to the htaccess
> file by the wordpress installer:
> <files wp-config.php>
> order allow,deny
> deny from all
> </files>
> Thanks, and have a great upcoming holiday :)
Hi Liam,

WordPress does not automatically set up .htaccess files (it can't: some
hosts don't allow them), but you can move your wp-config.php up one
directory level (towards root), so that it will be out of Apache's document
root. That will work on all sites regardless of whether they have .htaccess

As to the media temple error: Ouch! There's a reason I haven't used shared
hosting for several years!

Mike Little

More information about the wp-hackers mailing list