Jump to content
Sign in to follow this  

WP-Security: is moving wp-config outside the web root really good for the security?

Recommended Posts

hello dear freaks, 

One of the most common security questions i came over the last few months was the question of moving wp-config.php one directory higher than the vhost's document root.  Well  - since i am currently working on the setup of several vhosts and web-pages i think bout these things. I 'm assuming it's to minimize the risk of a malicious or infected script within the webroot from reading the database password of my wordpress-installation. one solution could be to expand open_basedir to include the directory above the document root. 
Doesn't that just defeat the entire purpose, and also potentially expose server logs, backups, etc to any attackers that comes along the way?

Or is the technique only trying to prevent a situation where wp-config.php would be shown as plain-text to anyone requesting  http://example.com/wp-config.php, instead of being parsed by the PHP Server engine? That seems like a very rare occurance,  and it wouldn't outweigh the downsides of exposing logs/backups/etc to HTTP requests.

Well  maybe it's possible to move it outside the document root in some hosting setups without exposing other files, but not in other than this setups? Well  - since i am currently working on the setup of several vhosts and web-pages i think bout these things.

some ideas and possible answers have emerged that I think should be considered 
the authoritative ones. 

a real-world example could be like so: 

With wp-config.php in the web root, a request to /wp-config.php would have downloaded the WordPress configuration file to the attacker. 
With wp-config.php outside the web root, a request to /wp-config.php downloaded a completely harmless file. So the hacker would be not harmful.

The real wp-config.php file could not be downloaded. Well that would be very fine. 
Well - i guess that moving wp-config.php outside the web root has some cool security-benefits 


What do you think!?

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.