WordPress Ideas » Topic: Change wp-config.php to different name for security reason https://wordpress.org/ideas/topic/change-wp-configphp-to-different-name-for-security-reason WordPress Ideas » Topic: Change wp-config.php to different name for security reason en-US Mon, 12 Jun 2017 01:56:58 +0000 http://bbpress.org/?v=1.1 Silko on "Change wp-config.php to different name for security reason" https://wordpress.org/ideas/topic/change-wp-configphp-to-different-name-for-security-reason#post-31204 Tue, 27 Dec 2016 14:01:16 +0000 Silko 31204@https://wordpress.org/ideas/ Protection your wp-config.php can be easy, please have a look: https://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

]]> Ipstenu (Mika Epstein) on "Change wp-config.php to different name for security reason" https://wordpress.org/ideas/topic/change-wp-configphp-to-different-name-for-security-reason#post-31178 Tue, 20 Dec 2016 01:11:37 +0000 Ipstenu (Mika Epstein) 31178@https://wordpress.org/ideas/ DO NOT EDIT CORE FILES

DO NOT EDIT CORE FILES

DO NOT EDIT CORE FILES

DO NOT EDIT CORE FILES

Seriously. No. Stop. Don't do it. You are a fool if you do it.

]]> nhantam on "Change wp-config.php to different name for security reason" https://wordpress.org/ideas/topic/change-wp-configphp-to-different-name-for-security-reason#post-31170 Sat, 17 Dec 2016 09:15:24 +0000 nhantam 31170@https://wordpress.org/ideas/ First: You can rename wp-config.php = config.php
Second: replace all require 'wp-config.php' = require 'configs.php';

Regards

]]> adinugroho on "Change wp-config.php to different name for security reason" https://wordpress.org/ideas/topic/change-wp-configphp-to-different-name-for-security-reason#post-26371 Sat, 05 Apr 2014 01:49:18 +0000 adinugroho 26371@https://wordpress.org/ideas/ Hi,
Yes we can move the wp-config.php to the home folder but how if we have some subdomain for example /home/x/www/sub1/, /home/x/www/sub2/? we can't put both wp-config.php at /home/x/www/ and also it will overwrite the wp-config.php on main domain.
At least we can one step ahead from the intruder before he found another method. I was check many intruder scripts and it create symlink to CMS configuration from their name, ex: wp-config.php, configuration.php, config.php, etc.
Most of the scripts bruteforce all names and hope they lucky
/home/*/wp-config.php
/home/*/www/wp-config.php
/home/*/www/*/wp-config.php

They can't read it if they not do the symlink first.
If we change the wp-config.php name, they can't read our database name, username and password.

]]> Ipstenu (Mika Epstein) on "Change wp-config.php to different name for security reason" https://wordpress.org/ideas/topic/change-wp-configphp-to-different-name-for-security-reason#post-26370 Fri, 04 Apr 2014 15:59:40 +0000 Ipstenu (Mika Epstein) 26370@https://wordpress.org/ideas/ DO NOT EDIT CORE FILES LIKE THAT

NO! Never. 1989danielb please do not suggest that. It's a terrible idea, all your changes will be lost when you upgrade and your site will break.

Okay. Now that we're all NOT editing core....

You can move the wp-config.php file one level up. So if you install WP here:

/home/public_html/index.php (etc)

The config can go in the NON web-accessible folder:

/home/wp-config.php

However. The concept that renaming that file will 'help' is not actually so. First of all, you have to be able to have a 'common' file to tell WP 'this is where I live' and since WP is open source, any reasonable hacker would be able to write a script that checks what your site is calling instead of wp-config.php

Sometimes intruder coming to my server and use symlink to read any wp-config.php files in whole server.

THIS is bad, horrible, dear god get a new webhost, levels of security holes. A GOOD server does not allow user A to read ANY files from User B. A symlink could be made, but would be unreadable because of permissions.

And still, renaming won't matter if I can run a server side scan for all files with the wp-config 'headers'

Unless of course the intruder gets in with root access, at which point nothing matters at all.

]]> 1989danielb on "Change wp-config.php to different name for security reason" https://wordpress.org/ideas/topic/change-wp-configphp-to-different-name-for-security-reason#post-26368 Fri, 04 Apr 2014 12:34:08 +0000 1989danielb 26368@https://wordpress.org/ideas/ Couldn't you just use a program such as NetBeans to do a search and replace on all instances of wp-config.php within the WordPress directory? I don't think any references to the file are in the database.

As in you change the filename to something like "template-home.php" and then set NetBeans to find and replace any and all instances of wp-config.php to "template-home.php". Then anything pointing to the old config file name will be changed.

Not sure if it works, but it could be a temporary solution while you wait for any changes/plugins :)

]]> adinugroho on "Change wp-config.php to different name for security reason" https://wordpress.org/ideas/topic/change-wp-configphp-to-different-name-for-security-reason#post-26367 Fri, 04 Apr 2014 04:45:58 +0000 adinugroho 26367@https://wordpress.org/ideas/ Hi,
I handle hundreds of WordPress site in my server. Sometimes intruder coming to my server and use symlink to read any wp-config.php files in whole server. If we can change the wp-config.php name easily in future, that will increase the WordPress security.

]]>