[wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default

jackie sparks jackie.craig.sparks at live.com
Fri Dec 16 13:37:41 UTC 2011







Well with file recursion exploits one can usually go as far back as the passwd and group file so as long as anyone can read it it can be a problem.

Then from the passwd file you can figure out what accounts are on the system...

> Date: Fri, 16 Dec 2011 13:28:15 +0000
> From: aero.maxx.d at gmail.com
> To: wp-hackers at lists.automattic.com
> CC: jackie.craig.sparks at live.com
> Subject: Re: [wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default
> 
> I just thought it maybe too far back in the directory structure that 
> wordpress would not look for the wp-config.php file 2 directories back 
> and look only 1 directory back.
> 
> On 16/12/2011 12:52, jackie sparks wrote:
> >
> > Why not as long as the user/apache has permission to access it. So I figure it would work with 644( xr-r-r ) permissions
> >
> >> Date: Fri, 16 Dec 2011 12:22:27 +0000
> >> From: aero.maxx.d at gmail.com
> >> To: wp-hackers at lists.automattic.com
> >> Subject: Re: [wp-hackers] Add .htaccess rules to prevent access to wp-config.php by default
> >>
> >> On 15/12/2011 17:10, Mike Little wrote:
> >>> On 15 December 2011 09:00, Liam Gladdy<liam at storm-consultancy.com>   wrote:
> >>>
> >>>> I have a suggestion, too.. Is there any reason why, when wordpress
> >>>> writes its rules to .htaccess, it doesn't also write the security
> >>>> protection to deny all access to wp-config.php? Obviously, for the
> >>>> most part this isn't needed, but this morning media temple had a
> >>>> catastrophic configuration change which lead to the PHP handlers not
> >>>> being registered, and all PHP files being downloaded as plain text on
> >>>> one of their clusters.
> >>>>
> >>>> If wordpress wrote a deny rule to .htaccess, this would negate that
> >>>> event opening access to database passwords.
> >>>>
> >>>> I'd suggest something along the lines below are added to the htaccess
> >>>> file by the wordpress installer:
> >>>>
> >>>> <files wp-config.php>
> >>>> order allow,deny
> >>>> deny from all
> >>>> </files>
> >>>>
> >>>> Thanks, and have a great upcoming holiday :)
> >>>>
> >>>>
> >>> Hi Liam,
> >>>
> >>> WordPress does not automatically set up .htaccess files (it can't: some
> >>> hosts don't allow them), but you can move your wp-config.php up one
> >>> directory level (towards root), so that it will be out of Apache's document
> >>> root. That will work on all sites regardless of whether they have .htaccess
> >>> files.
> >>>
> >>> As to the media temple error: Ouch! There's a reason I haven't used shared
> >>> hosting for several years!
> >>>
> >>> Mike
> >> What if you have your wordpress install in a folder called wordpress and
> >> the wp-config.php is in here, moving it up one directory would still be
> >> in Apache's document root, is it possible to move it up 2 directories
> >> and for it to still work ?
> >>
> >> I prefer to have a tidy server and not have non wordpress files mixed in
> >> among wordpress files.
> >> _______________________________________________
> >> wp-hackers mailing list
> >> wp-hackers at lists.automattic.com
> >> http://lists.automattic.com/mailman/listinfo/wp-hackers
> >   		 	   		
> > _______________________________________________
> > wp-hackers mailing list
> > wp-hackers at lists.automattic.com
> > http://lists.automattic.com/mailman/listinfo/wp-hackers
 		 	   		   		 	   		  


More information about the wp-hackers mailing list