Sometimes you encounter a tip which is so simple you can’t believe you didn’t know about it before.
If you’re running WordPress, you’ll have defined a wp-config.php file which contains essential settings such as the MySQL database host, name, user and password. It normally sits in the location where WordPress was installed — in most cases this will be the web server root but it could be any sub-folder.
You certainly don’t want wp-config.php falling into the wrong hands. Under normal circumstances, a naughty cracker cannot view the file because the PHP interpreter would parse it and return an empty page. However:
- The cracker will know exactly where the file is located and can target it more effectively.
- If PHP fails, e.g. perhaps during a update, wp-config.php could be viewed directly in a browser by entering the URL.
Ready for the simple tip…
Move the wp-config.php file into the folder above your WordPress installation.
For example, you may have a folder structure such as /home/mysite/public_html/ where WordPress is installed. In that case, you would move wp-config.php into /home/mysite/.
This has several benefits:
- Assuming /home/mysite/public_html/ was the web server’s root folder, /home/mysite/ is inaccessible to anyone using a browser.
- A cracker has less chance of locating the correct file.
- It’s so simple, there’s little reason not to do it!
Perhaps this won’t be the most exciting tech article you read today, but it’s useful to know. I hope it helps with your security efforts.
Craig BucklerCraig is a freelance UK web consultant who built his first page for IE2.0 in 1995. Since that time he's been advocating standards, accessibility, and best-practice HTML5 techniques. He's created enterprise specifications, websites and online applications for companies and organisations including the UK Parliament, the European Parliament, the Department of Energy & Climate Change, Microsoft, and more. He's written more than 1,000 articles for SitePoint and you can find him @craigbuckler.
