Protect Your WordPress WP-Config So You Don’t Get Hacked

Wednesday, November 14th, 2007 9:59 pm by Ronald Huereca Print this Article Print this page Comments Comment Share This Share This

Today while at work I was browsing my feeds when I stumbled across a very odd headline: You got h4ck3d!

I thought it was a joke. So I went to the website.

Hacked Website Message

As you can see from the image, the hack is legit. The author promptly removed the post within a few hours and it was like nothing ever had happened.

The way the hacker got in was through the "wp-config.php" when it was readable as plain text. From that, the hacker can get your database name, and your database username and password. This could've have easily been prevented, even if the hacker could read the "wp-config" file.

Protect it the .htaccess Way

Josiah Cole wrote a nice htaccess tutorial on modifying your .htaccess to protect the wp-config.

Here's the code he used:

PLAIN TEXT
PHP:
  1. # protect wpconfig.php
  2. <files wp-config.php>
  3. order allow,deny
  4. deny from all
  5. </files>

Protect the WP-Config by Moving the File

Now one can move the wp-config to an unpredictable location and change the code in the source, but that would be a pain to do with every WordPress upgrade.

How about creating a separate PHP file in a non-WWW accessible location and use the WP-Config to include that file.

Say for example that your web include path for your server was /home/yourname/public_html/. You can actually save a file in the /home/yourname/ area and it won't be web accessible. Meaning that even if somebody were able to read your wp-config, they wouldn't get anything valuable.

Here are the steps that I took.

Create a "config.php"

Within this config.php file I included the following:

PLAIN TEXT
PHP:
  1. <?php
  2. define('DB_NAME', 'your_db_name');    // The name of the database
  3. define('DB_USER', 'your_db_username');     // Your MySQL username
  4. define('DB_PASSWORD', 'your_db_pass'); // ...and password
  5. define('DB_HOST', 'localhost');    // 99% chance you won't need to change this value
  6.  
  7. // You can have multiple installations in one database if you give each a unique prefix
  8. $table_prefix  = 'yourdbprefix_';   // Only numbers, letters, and underscores please!
  9. ?>

I uploaded this file to a non-WWW readable location. Normally this should be the directory before "public_html" or "www".

Modify the WP-Config

I then modified the "wp-config.php" file to include the file. If somebody were to somehow read the contents of my WP-Config, all they would see is this:

PLAIN TEXT
PHP:
  1. <?php
  2. include('/home/yourname/config.php');
  3.  
  4. // Change this to localize WordPress.  A corresponding MO file for the
  5. // chosen language must be installed to wp-includes/languages.
  6. // For example, install de.mo to wp-includes/languages and set WPLANG to 'de'
  7. // to enable German language support.
  8. define ('WPLANG', '');
  9.  
  10. /* That's all, stop editing! Happy blogging. */
  11.  
  12. define('ABSPATH', dirname(__FILE__).'/');
  13. require_once(ABSPATH.'wp-settings.php');
  14. ?>

Please note that the include paths change from server to server, but hopefully you get the idea. Save your sensitive information in a non-WWW location, and have the WP-Config file read it in. This way you won't have to change anything if you have to upgrade WordPress.

Conclusion

If a person with malicious intent finds your WP-Config file and can actually read the contents, your website is exposed. Devlounge wrote an article earlier today that revealed how easy it is for a hacker to change your password (and get admin access to your blog) using phpMyAdmin.

You can never be too careful about these things, so protect your WP-Config and make sure you have a recent database backup.

If there are any more ways to protect the WP-Config that I didn't already mention, please feel free to add them in the comments.

End of Article. Copyright Devlounge.
  • Comment Author Pointless Rambler
    Post Time November 15, 2007 at 11:14 am (permalink)

    You can simply change the file permissions to local only, users get a 403 error.

  • Comment Author Kurt L
    Post Time November 16, 2007 at 9:22 pm (permalink)

    Found on Stumble, excellent info. Thanks

  • Comment Author SuMu
    Post Time November 19, 2007 at 3:15 am (permalink)

    thanks, excellent info!

  • Comment Author n-blue
    Post Time November 22, 2007 at 11:18 pm (permalink)

    Thanks for the tip, I will try this as for double protection.

  • Comment Author Jenny
    Post Time December 21, 2007 at 3:02 pm (permalink)

    Wow that’s scary. I’ma change mine right away!!

  • Comment Author Free WordPress Themes
    Post Time December 30, 2007 at 4:03 am (permalink)

    Wow…that is really scary. I’m going to try and protect it the .htaccess way. Seems like the easiest and a safe way. Thanks for the writeup!

    David

  • Comment Author Mats
    Post Time February 20, 2008 at 6:48 am (permalink)

    Not using WP at the moment, but I’ve set up a few. This is really good for everyone out there to remember.
    Don’t depend on Apache to always work with PHP, if it doesn’t it will send the file in pure text.

  • Pingback : Schütze deine wp-config.php | bueltge.de [by:ltge.de] on November 16, 2007
  • Pingback : Alex Jones » Blog Archive » Recent Links: November 14 to November 17 on November 17, 2007
  • Pingback : WordPress: WP-Config schützen - Tobbis Blog - Aktuelles ueber Windows, Opera & Co. gebloggt von Tobias Steinicke on November 17, 2007
  • Pingback : Das Gedankenhabitat » WordPress Konfigurationsdatei schützen on November 18, 2007
  • Pingback : A little link love - Week 28 » Things By Mike on November 20, 2007
  • Pingback : Schütze deine wp-config.php | Datenquelle on November 23, 2007
  • Pingback : Finally made the switch to Wordpress : unTECHY on February 18, 2008
  • Pingback : Finally made the switch to Wordpress on March 10, 2008
  • Pingback :   Devlounge | Protect Your WordPress WP-Config So You Don’t Get Hacked by Work In Progress on April 18, 2008

    • Note: If you are commenting here for the first time, your comment will be sent into a moderation queue before being published. Please use your email address in order to identify yourself for your future comments. Clean XHTML: Use standards ready code tags in your comments. For example, cite a comment or phrase from an article with < blockquote > tags.

    About this author

    LoginRonald is frequently found laying his thoughts out in strong, straight-forward articles on various web related topics. He is the author of the popular WordPress plugin Ajax Edit Comments, and writes for WeblogToolsCollection and the Reader Appreciation Project. See more posts by Ronald Huereca, or visit Ronald Huereca's homepage.

    Subscribe

    SubscribeFirst time here, or frequent flyer. Whatever the case may be, we highly recommend subscribing to our feeds so you can get the latest updates without visiting the site. It's just a thought - don't say we didn't tell you so.

    Sponsors

    PSD to HTML, PSD to XHTML Service by PSD2HTML.com. You Design - We XHTML / CSS.

    Related Content

    WordPress Tip: Disable and Remove Unused Plugins

    As WordPress continues to evolve and change, and your blogs grow as well, you may no longer use certain plugins, but forget to deactivate them

    Reset a WordPress Password from phpMyAdmin

    If you are managing a WordPress installation and for some reason, maybe a hacker, you no longer have access to your Administration panel using your

    Preventing and Recovering from Server Hacks

    Waking up on Christmas morning I didn't expect nor want to see one of my sites down, but I ran into just that exact problem.

    Close
    E-mail It