Hi,
I handle hundreds of WordPress site in my server. Sometimes intruder coming to my server and use symlink to read any wp-config.php files in whole server. If we can change the wp-config.php name easily in future, that will increase the WordPress security.
Change wp-config.php to different name for security reason
-
adinugroho
InactivePosted: 3 years ago # -
1989danielb
MemberCouldn't you just use a program such as NetBeans to do a search and replace on all instances of wp-config.php within the WordPress directory? I don't think any references to the file are in the database.
As in you change the filename to something like "template-home.php" and then set NetBeans to find and replace any and all instances of wp-config.php to "template-home.php". Then anything pointing to the old config file name will be changed.
Not sure if it works, but it could be a temporary solution while you wait for any changes/plugins :)
Posted: 3 years ago # -
Ipstenu (Mika Epstein)
AdministratorDO NOT EDIT CORE FILES LIKE THAT
NO! Never. 1989danielb please do not suggest that. It's a terrible idea, all your changes will be lost when you upgrade and your site will break.
Okay. Now that we're all NOT editing core....
You can move the wp-config.php file one level up. So if you install WP here:
/home/public_html/index.php (etc)
The config can go in the NON web-accessible folder:
/home/wp-config.php
However. The concept that renaming that file will 'help' is not actually so. First of all, you have to be able to have a 'common' file to tell WP 'this is where I live' and since WP is open source, any reasonable hacker would be able to write a script that checks what your site is calling instead of wp-config.php
Sometimes intruder coming to my server and use symlink to read any wp-config.php files in whole server.
THIS is bad, horrible, dear god get a new webhost, levels of security holes. A GOOD server does not allow user A to read ANY files from User B. A symlink could be made, but would be unreadable because of permissions.
And still, renaming won't matter if I can run a server side scan for all files with the wp-config 'headers'
Unless of course the intruder gets in with root access, at which point nothing matters at all.
Posted: 3 years ago # -
InactiveHi,
Yes we can move the wp-config.php to the home folder but how if we have some subdomain for example /home/x/www/sub1/, /home/x/www/sub2/? we can't put both wp-config.php at /home/x/www/ and also it will overwrite the wp-config.php on main domain.
At least we can one step ahead from the intruder before he found another method. I was check many intruder scripts and it create symlink to CMS configuration from their name, ex: wp-config.php, configuration.php, config.php, etc.
Most of the scripts bruteforce all names and hope they lucky
/home/*/wp-config.php
/home/*/www/wp-config.php
/home/*/www/*/wp-config.phpThey can't read it if they not do the symlink first.
If we change the wp-config.php name, they can't read our database name, username and password.Posted: 3 years ago # -
nhantam
InactiveFirst: You can rename wp-config.php = config.php
Second: replace all require 'wp-config.php' = require 'configs.php';Regards
Posted: 5 months ago # -
AdministratorDO NOT EDIT CORE FILES
DO NOT EDIT CORE FILES
DO NOT EDIT CORE FILES
DO NOT EDIT CORE FILES
Seriously. No. Stop. Don't do it. You are a fool if you do it.
Posted: 5 months ago # -
Silko
MemberProtection your wp-config.php can be easy, please have a look: https://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php
Posted: 5 months ago #
Reply
You must log in to post.
