[wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default

Barry Carlyon barry at barrycarlyon.co.uk
Tue Dec 20 11:51:51 UTC 2011 

Like the media temple problem. With the PHP being plain text.
A wp-config.php in the accesasble folder you can just stick in a
include(../../path to file); anywhere on the system linking the the actual
file.

WP only looks one directory up which is annoying since it should do
$_SERVER['DOCUMENT_ROOT'] and go one up me thinks.

On Fri, Dec 16, 2011 at 1:37 PM, jackie sparks <jackie.craig.sparks at live.com
> wrote:

>
>
>
>
>
>
> Well with file recursion exploits one can usually go as far back as the
> passwd and group file so as long as anyone can read it it can be a problem.
>
> Then from the passwd file you can figure out what accounts are on the
> system...
>
> > Date: Fri, 16 Dec 2011 13:28:15 +0000
> > From: aero.maxx.d at gmail.com
> > To: wp-hackers at lists.automattic.com
> > CC: jackie.craig.sparks at live.com
> > Subject: Re: [wp-hackers] Add .htaccess rules to prevent access to
> wp-config.php by default
> >
> > I just thought it maybe too far back in the directory structure that
> > wordpress would not look for the wp-config.php file 2 directories back
> > and look only 1 directory back.
> >
> > On 16/12/2011 12:52, jackie sparks wrote:
> > >
> > > Why not as long as the user/apache has permission to access it. So I
> figure it would work with 644( xr-r-r ) permissions
> > >
> > >> Date: Fri, 16 Dec 2011 12:22:27 +0000
> > >> From: aero.maxx.d at gmail.com
> > >> To: wp-hackers at lists.automattic.com
> > >> Subject: Re: [wp-hackers] Add .htaccess rules to prevent access to
> wp-config.php by default
> > >>
> > >> On 15/12/2011 17:10, Mike Little wrote:
> > >>> On 15 December 2011 09:00, Liam Gladdy<liam at storm-consultancy.com>
>   wrote:
> > >>>
> > >>>> I have a suggestion, too.. Is there any reason why, when wordpress
> > >>>> writes its rules to .htaccess, it doesn't also write the security
> > >>>> protection to deny all access to wp-config.php? Obviously, for the
> > >>>> most part this isn't needed, but this morning media temple had a
> > >>>> catastrophic configuration change which lead to the PHP handlers not
> > >>>> being registered, and all PHP files being downloaded as plain text
> on
> > >>>> one of their clusters.
> > >>>>
> > >>>> If wordpress wrote a deny rule to .htaccess, this would negate that
> > >>>> event opening access to database passwords.
> > >>>>
> > >>>> I'd suggest something along the lines below are added to the
> htaccess
> > >>>> file by the wordpress installer:
> > >>>>
> > >>>> <files wp-config.php>
> > >>>> order allow,deny
> > >>>> deny from all
> > >>>> </files>
> > >>>>
> > >>>> Thanks, and have a great upcoming holiday :)
> > >>>>
> > >>>>
> > >>> Hi Liam,
> > >>>
> > >>> WordPress does not automatically set up .htaccess files (it can't:
> some
> > >>> hosts don't allow them), but you can move your wp-config.php up one
> > >>> directory level (towards root), so that it will be out of Apache's
> document
> > >>> root. That will work on all sites regardless of whether they have
> .htaccess
> > >>> files.
> > >>>
> > >>> As to the media temple error: Ouch! There's a reason I haven't used
> shared
> > >>> hosting for several years!
> > >>>
> > >>> Mike
> > >> What if you have your wordpress install in a folder called wordpress
> and
> > >> the wp-config.php is in here, moving it up one directory would still
> be
> > >> in Apache's document root, is it possible to move it up 2 directories
> > >> and for it to still work ?
> > >>
> > >> I prefer to have a tidy server and not have non wordpress files mixed
> in
> > >> among wordpress files.
> > >> _______________________________________________
> > >> wp-hackers mailing list
> > >> wp-hackers at lists.automattic.com
> > >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> > >
> > > _______________________________________________
> > > wp-hackers mailing list
> > > wp-hackers at lists.automattic.com
> > > http://lists.automattic.com/mailman/listinfo/wp-hackers
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>



-- 
Barry Carlyon
Freelance Web Developer
Freelance Lighting/AV Engineer

http://barrycarlyon.co.uk

mobile: 07729 048 443
skype: barrycarlyon
email: barry at barrycarlyon.co.uk
msn: barry at barrycarlyon.co.uk

More information about the wp-hackers mailing list