[wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default

Aero Maxx aero.maxx.d at gmail.com
Fri Dec 16 13:28:15 UTC 2011


I just thought it maybe too far back in the directory structure that 
wordpress would not look for the wp-config.php file 2 directories back 
and look only 1 directory back.

On 16/12/2011 12:52, jackie sparks wrote:
>
> Why not as long as the user/apache has permission to access it. So I figure it would work with 644( xr-r-r ) permissions
>
>> Date: Fri, 16 Dec 2011 12:22:27 +0000
>> From: aero.maxx.d at gmail.com
>> To: wp-hackers at lists.automattic.com
>> Subject: Re: [wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default
>>
>> On 15/12/2011 17:10, Mike Little wrote:
>>> On 15 December 2011 09:00, Liam Gladdy<liam at storm-consultancy.com>   wrote:
>>>
>>>> I have a suggestion, too.. Is there any reason why, when wordpress
>>>> writes its rules to .htaccess, it doesn't also write the security
>>>> protection to deny all access to wp-config.php? Obviously, for the
>>>> most part this isn't needed, but this morning media temple had a
>>>> catastrophic configuration change which lead to the PHP handlers not
>>>> being registered, and all PHP files being downloaded as plain text on
>>>> one of their clusters.
>>>>
>>>> If wordpress wrote a deny rule to .htaccess, this would negate that
>>>> event opening access to database passwords.
>>>>
>>>> I'd suggest something along the lines below are added to the htaccess
>>>> file by the wordpress installer:
>>>>
>>>> <files wp-config.php>
>>>> order allow,deny
>>>> deny from all
>>>> </files>
>>>>
>>>> Thanks, and have a great upcoming holiday :)
>>>>
>>>>
>>> Hi Liam,
>>>
>>> WordPress does not automatically set up .htaccess files (it can't: some
>>> hosts don't allow them), but you can move your wp-config.php up one
>>> directory level (towards root), so that it will be out of Apache's document
>>> root. That will work on all sites regardless of whether they have .htaccess
>>> files.
>>>
>>> As to the media temple error: Ouch! There's a reason I haven't used shared
>>> hosting for several years!
>>>
>>> Mike
>> What if you have your wordpress install in a folder called wordpress and
>> the wp-config.php is in here, moving it up one directory would still be
>> in Apache's document root, is it possible to move it up 2 directories
>> and for it to still work ?
>>
>> I prefer to have a tidy server and not have non wordpress files mixed in
>> among wordpress files.
>> _______________________________________________
>> wp-hackers mailing list
>> wp-hackers at lists.automattic.com
>> http://lists.automattic.com/mailman/listinfo/wp-hackers
>   		 	   		
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers


More information about the wp-hackers mailing list