[wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default

jackie sparks jackie.craig.sparks at live.com
Fri Dec 16 12:52:22 UTC 2011



Why not as long as the user/apache has permission to access it. So I figure it would work with 644( xr-r-r ) permissions 

> Date: Fri, 16 Dec 2011 12:22:27 +0000
> From: aero.maxx.d at gmail.com
> To: wp-hackers at lists.automattic.com
> Subject: Re: [wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default
> 
> On 15/12/2011 17:10, Mike Little wrote:
> > On 15 December 2011 09:00, Liam Gladdy<liam at storm-consultancy.com>  wrote:
> >
> >> I have a suggestion, too.. Is there any reason why, when wordpress
> >> writes its rules to .htaccess, it doesn't also write the security
> >> protection to deny all access to wp-config.php? Obviously, for the
> >> most part this isn't needed, but this morning media temple had a
> >> catastrophic configuration change which lead to the PHP handlers not
> >> being registered, and all PHP files being downloaded as plain text on
> >> one of their clusters.
> >>
> >> If wordpress wrote a deny rule to .htaccess, this would negate that
> >> event opening access to database passwords.
> >>
> >> I'd suggest something along the lines below are added to the htaccess
> >> file by the wordpress installer:
> >>
> >> <files wp-config.php>
> >> order allow,deny
> >> deny from all
> >> </files>
> >>
> >> Thanks, and have a great upcoming holiday :)
> >>
> >>
> > Hi Liam,
> >
> > WordPress does not automatically set up .htaccess files (it can't: some
> > hosts don't allow them), but you can move your wp-config.php up one
> > directory level (towards root), so that it will be out of Apache's document
> > root. That will work on all sites regardless of whether they have .htaccess
> > files.
> >
> > As to the media temple error: Ouch! There's a reason I haven't used shared
> > hosting for several years!
> >
> > Mike
> What if you have your wordpress install in a folder called wordpress and 
> the wp-config.php is in here, moving it up one directory would still be 
> in Apache's document root, is it possible to move it up 2 directories 
> and for it to still work ?
> 
> I prefer to have a tidy server and not have non wordpress files mixed in 
> among wordpress files.
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
 		 	   		  


More information about the wp-hackers mailing list