Password in wp-config. Dangerous?

1 Views

I don’t know a lot of WordPress yet, and I’m just wondering:

Before installation you have to fill in the correct data in wp-config-sample.php but this also includes the database password. Isn’t that dangerous? I mean, can some one explain how this is protected from just reading the file and thus getting the password of your DB?

Post Views: 1

Related posts

Leave a Reply

5 comments

  1. The “Hardening WordPress” page of the Codex contains a section on “Securing wp-config.php”. It includes changing the permissions to 440 or 400. You can also move the wp-config file one directory up from the root if your server configuration allows for that.

    Of course there is some danger to having a file with the password like this if someone gets access to your server, but, honestly, at that point they already are in your server.

    Finally, you don’t have much of a choice. I’ve never seen an alternate means of configuring WordPress. You can lock it down as much as you can, but this is how WordPress is built, and if it were a serious security threat, they wouldn’t do it that way.

  2. To make a case for keeping your config file one level up from the web root (as mrwweb suggested): a few months ago, an automatic update on a production server of ours killed php but left apache running. So everyone coming to the homepage was being offered index.php as a download. In theory, anybody who knew it was a WordPress site could have requested wp-config.php, and gotten it (had it been in the web root). Of course, they’d only be able to use those DB credentials if we allowed remote MySQL connections–but still, not cool. I realize this is a fringe case, but it’s so easy to keep your config out of sight, why not do it?