[wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default
aero.maxx.d at gmail.com
Fri Dec 16 13:28:15 UTC 2011
I just thought it maybe too far back in the directory structure that
wordpress would not look for the wp-config.php file 2 directories back
and look only 1 directory back.
On 16/12/2011 12:52, jackie sparks wrote:
> Why not as long as the user/apache has permission to access it. So I figure it would work with 644( xr-r-r ) permissions
>> Date: Fri, 16 Dec 2011 12:22:27 +0000
>> From: aero.maxx.d at gmail.com
>> To: wp-hackers at lists.automattic.com
>> Subject: Re: [wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default
>> On 15/12/2011 17:10, Mike Little wrote:
>>> On 15 December 2011 09:00, Liam Gladdy<liam at storm-consultancy.com> wrote:
>>>> I have a suggestion, too.. Is there any reason why, when wordpress
>>>> writes its rules to .htaccess, it doesn't also write the security
>>>> protection to deny all access to wp-config.php? Obviously, for the
>>>> most part this isn't needed, but this morning media temple had a
>>>> catastrophic configuration change which lead to the PHP handlers not
>>>> being registered, and all PHP files being downloaded as plain text on
>>>> one of their clusters.
>>>> If wordpress wrote a deny rule to .htaccess, this would negate that
>>>> event opening access to database passwords.
>>>> I'd suggest something along the lines below are added to the htaccess
>>>> file by the wordpress installer:
>>>> <files wp-config.php>
>>>> order allow,deny
>>>> deny from all
>>>> Thanks, and have a great upcoming holiday :)
>>> Hi Liam,
>>> WordPress does not automatically set up .htaccess files (it can't: some
>>> hosts don't allow them), but you can move your wp-config.php up one
>>> directory level (towards root), so that it will be out of Apache's document
>>> root. That will work on all sites regardless of whether they have .htaccess
>>> As to the media temple error: Ouch! There's a reason I haven't used shared
>>> hosting for several years!
>> What if you have your wordpress install in a folder called wordpress and
>> the wp-config.php is in here, moving it up one directory would still be
>> in Apache's document root, is it possible to move it up 2 directories
>> and for it to still work ?
>> I prefer to have a tidy server and not have non wordpress files mixed in
>> among wordpress files.
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
More information about the wp-hackers