[wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default

Aero Maxx aero.maxx.d at gmail.com
Fri Dec 16 12:22:27 UTC 2011

On 15/12/2011 17:10, Mike Little wrote:
> On 15 December 2011 09:00, Liam Gladdy<liam at storm-consultancy.com>  wrote:
>> I have a suggestion, too.. Is there any reason why, when wordpress
>> writes its rules to .htaccess, it doesn't also write the security
>> protection to deny all access to wp-config.php? Obviously, for the
>> most part this isn't needed, but this morning media temple had a
>> catastrophic configuration change which lead to the PHP handlers not
>> being registered, and all PHP files being downloaded as plain text on
>> one of their clusters.
>> If wordpress wrote a deny rule to .htaccess, this would negate that
>> event opening access to database passwords.
>> I'd suggest something along the lines below are added to the htaccess
>> file by the wordpress installer:
>> <files wp-config.php>
>> order allow,deny
>> deny from all
>> </files>
>> Thanks, and have a great upcoming holiday :)
> Hi Liam,
> WordPress does not automatically set up .htaccess files (it can't: some
> hosts don't allow them), but you can move your wp-config.php up one
> directory level (towards root), so that it will be out of Apache's document
> root. That will work on all sites regardless of whether they have .htaccess
> files.
> As to the media temple error: Ouch! There's a reason I haven't used shared
> hosting for several years!
> Mike
What if you have your wordpress install in a folder called wordpress and 
the wp-config.php is in here, moving it up one directory would still be 
in Apache's document root, is it possible to move it up 2 directories 
and for it to still work ?

I prefer to have a tidy server and not have non wordpress files mixed in 
among wordpress files.

More information about the wp-hackers mailing list