Jump to content
Sign in to follow this  

recovering the WordPress Site's Database Password - and hardening it

Recommended Posts

hello dear experts, 


today i want to discuss some wordpress-hardening-ideas: how to recover the WordPress Site's Database Password: the steps and the question of hardening. 

the steps: 

- Log in to the Account Control Center 
- Navigate to your WordPress wp-config.php file and click it.
- In the top navbar, click Edit.

see the entry for the db-passwd. 

but what about the "Hardening WordPress" page of the Codex: the page does contain a section on "Securing wp-config.php".  There some hardening ideas were discussed: The hardening-ideas and concepts include 

a. changing the permissions on files to 440 or 400. 
b. moving the wp-config file one directory up from the root (only if the server configuration allows for that process) 

furthermore: Of course there seeems to be some additional danger in having a file with the password like this;  Especially if someone gets access to the server itself. But at that point the intruders already are in your server.  Above all: to take all the considerations in account we can say: you don't have much of a choice.  the alternate means of configuring WordPress are only a few.

to take into consideration: b. "moving the wp-config file one directory up from the root" (only if the server configuration allows for that process) To discuss the case for keeping the config file one level up from the web root-level: 

- what if the intruder kill php but left apache running. 
- in this case everyone that has the ability to come to the homepage was being offered index.php as a downloadable dataset. This is pretty dangerous.
- conclusio: all the guys who knew that this site in question is a WordPress-site could have requested wp-config.php, and gotten it (since this file is now in the web-root). 

To finalize this intrusion idea: At this point the intruders would only be able to use those DB credentials. If some one would allow remote MySQL-connections this could be very dangerous. 

One can lock all down as much as one can, at the end we have to say this is how WordPress is built. What bout the idea of keeping the config out of sight, why not do it?

what do you think about hardening...!? I look forward to a fruitful discussion 

have a great day


Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.