WordPress uses a file called wp-config.php to store important settings. This file contains, among other things, your user name and password for the database. It is therefore crucial for the security of its website that no one will have access to the contents of this file.
The configuration file (wp-config.php) is by default located in the root directory, but under normal circumstances, its content is not accessible to the public. If you try to access it through a browser, you'll notice that there is no exit.
This is a very common advice to move wp-config.php one directory above the root directory for security reasons. If WordPress is installed in the public_html directory, in most mounts servers mean you have to move it to the / home / username.
If you can not read the contents of the file why fix it?
That's a good question. The only reason to protect the configuration file is the rare case manager PHP on the server is broken or cut and its content is visible in text form to the public.
In this case, everyone will have access to your user name and password of the database by simply pointing your browser to [http://yourwebsite.com/wp-config.php]. It is true that the passage wp-config.php one directory information will be protected database, but the best choice for several reasons ...
Why move wp-config is not a good idea
The only way for someone to see your wp-config.php file is bypassing server PHP interpreter. If this happens, you are in trouble anyway. This means that the server is hacked and the attacker has complete control over your site. So wherever you move wp-config, will be able to find it.
Most hosting companies use open_basedir protection which means that if a php script tries to open a file, the file location is checked and if it is outside the directory specified by open_basedir not open. So if a hacker manages to inject malicious PHP script on your site, you will be given access to only specific directory. Move the previous configuration file root directory means that you have to expand the scope of the open_basedir to allow PHP to access outside the web root. Therefore, each PHP script will now have access to all directories outside the web root. There are a lot of sensitive information outside the web root, such as newspapers and backups. PHP to access this information is not a good idea.
You can protect wp-config.php using htaccess rules to deny HTTP requests to it. This way, you get the same level of protection without moving the file without increasing open_basedir. Just add the following snippet of code in the file in the root site the.htaccess:
<Files Wp-config.php>
Order allow, deny
deny from all
</ Files>
Here's my advice: do not move wp-config.php. there is no reason to move when you can simply reject HTTP requests to it from htaccess. This way, you get the same level of protection without having to develop open_basedir.
Ensure wp-config.php to make your website 100% bulletproof? Of course not. But still a security measure could discourage an attacker.
Do not get too invested in getting this file if, because getting content displayed in plain text is very rare and this means that the security of your server has been compromised in some way. Not give priority to an issue as minor, regardless of things that really matter like keeping WordPress updated and use of passwords.
The configuration file (wp-config.php) is by default located in the root directory, but under normal circumstances, its content is not accessible to the public. If you try to access it through a browser, you'll notice that there is no exit.
This is a very common advice to move wp-config.php one directory above the root directory for security reasons. If WordPress is installed in the public_html directory, in most mounts servers mean you have to move it to the / home / username.
If you can not read the contents of the file why fix it?
That's a good question. The only reason to protect the configuration file is the rare case manager PHP on the server is broken or cut and its content is visible in text form to the public.
In this case, everyone will have access to your user name and password of the database by simply pointing your browser to [http://yourwebsite.com/wp-config.php]. It is true that the passage wp-config.php one directory information will be protected database, but the best choice for several reasons ...
Why move wp-config is not a good idea
The only way for someone to see your wp-config.php file is bypassing server PHP interpreter. If this happens, you are in trouble anyway. This means that the server is hacked and the attacker has complete control over your site. So wherever you move wp-config, will be able to find it.
Most hosting companies use open_basedir protection which means that if a php script tries to open a file, the file location is checked and if it is outside the directory specified by open_basedir not open. So if a hacker manages to inject malicious PHP script on your site, you will be given access to only specific directory. Move the previous configuration file root directory means that you have to expand the scope of the open_basedir to allow PHP to access outside the web root. Therefore, each PHP script will now have access to all directories outside the web root. There are a lot of sensitive information outside the web root, such as newspapers and backups. PHP to access this information is not a good idea.
You can protect wp-config.php using htaccess rules to deny HTTP requests to it. This way, you get the same level of protection without moving the file without increasing open_basedir. Just add the following snippet of code in the file in the root site the.htaccess:
<Files Wp-config.php>
Order allow, deny
deny from all
</ Files>
Here's my advice: do not move wp-config.php. there is no reason to move when you can simply reject HTTP requests to it from htaccess. This way, you get the same level of protection without having to develop open_basedir.
Ensure wp-config.php to make your website 100% bulletproof? Of course not. But still a security measure could discourage an attacker.
Do not get too invested in getting this file if, because getting content displayed in plain text is very rare and this means that the security of your server has been compromised in some way. Not give priority to an issue as minor, regardless of things that really matter like keeping WordPress updated and use of passwords.
Aucun commentaire:
Enregistrer un commentaire