How to Protect WordPress wp-config.php
We know wp-config.php is the most important file of wordpress, it defines some important configuration data for MySQL database, I have seen many articles are talking about this file's protection. Using htaccess to protect it is the most popular method. But which method will make your wp-config.php more secure?
1. Basic protection of wp-config.php
Adding these code to your .htaccess file will prevent wp-config.php from been access directly.
<files wp-config.php> order allow,deny deny from all </files>
This way can do some effect for protect the wp-config.php file.
2. Change Permissions for wp-config.php
If wp-config.php has been CHMOD to 644(No WRITE privilege except owner), the hacker must get some top-level, or he can not cover this file. that is not a easy thing which rely on your system's security. If wp-config.php has not been cancelled WRITE privilege, the hacker may modify it as long as he get some SCRIPT or uploading loopholes.
3. Move wp-config.php to another directory
The second way is moving the file(wp-config.php) to the wordpress's parent directory, wordpress will work properly without any problems, but if your are using some plugins which are calling the root wp-config.php, you may need to do some relate change in their codes. Yes, this way can protect your wp-config.php from been accessed directly, too.
4. Care about Script Injection
Despite you have done these trys, In fact, these methods has only a few effect in wp-config.php protection, because wp-config.php is a .php file, the hacker will get nothing about it even he visit wp-config.php directly. As long as apache server is running normally. Then, what's the greatest risk in wp-config.php protection? I think the greatest rick in wp-config.php protection includes:
Been viewed as a plain text.
- Been Modified by illegal codes
For the first option, you will view nothing while your apache server is working properly, because the .php file must pass the server's interpretation. but if the hacker get some loopholes of the apache system or wordpress, such as script injection, or uploading loopholes, he may get all the information from wp-config.php. Just like this:
<?php $fname='wp-config.php'; print_r(file_get_contents($fname)); ?>
But if he want to modify wp-config.php, he must get some top-level, so that what we should do?
- so changing permissions for wp-config.php is nessessary.
- Care about your system flaws and upgrade it.