In case you haven’t been acquainted yet, let me introduce you to your wp-config.php file. If you run a self-hosted WordPress.org blog, your wp-config.php contains your MySQL database username, your MySQL database password, your WordPress authentication keys and other sensitive information. With this information, a hacker or script kiddie gets access to every piece of content on your WordPress blog, giving them free rein to delete your posts, insert malicious code, backlink to illegal porn sites, or whatever else they want.
By default, wp-config.php sits in the same folder as your WordPress blog. So, if the homepage of your blog is at mysite.com/blog, so is your wp-config.php. That’s not as reckless as it seems, since .php files are server-side scripts that are processed by the server. When you are looking at a .php file, you are actually looking at the output of the file. The same goes for when you view the source. The only way to download the raw code of a .php file is via FTP.
But, just because you can’t normally access a .php file doesn’t mean you are always safe…
Accidents happen, and vulnerabilities exist. If your web server’s PHP configuration breaks down, your MIME types aren’t set up correctly or your web server is otherwise misconfigured, your webpage could end up serving plain text instead of processed PHP output; that is just a few examples. And, just like being depantsed during a pep rally in the high school auditorium, it only takes a split-second and before you can get your knickers back on they’ve seen everything. Yeah, they’ve seen it all.
In this groovyPost, I’ll show you how to keep your wp-config.php with your MySQL database usernames and passwords safe(r). While no website or blog is 100% un-hackable, this quick tip will make hacking your WordPress blog more difficult for would-be intruders than a site that hasn’t taken these precautions. Usually just being more secure than your neighbor is enough to deter a would-be hacker’s efforts to a site other than your own. Remember, if you are ever in the woods with a group of people and a bear shows up -you don’t have to run faster than the bear, just faster than the other people. (and all joking aside, Bear mace is your best bet if you are ever really in that situation)
Moving Your wp-config.php File
With the correct file permissions and a correctly configured web server, keeping your wp-config.php file in the same public folder as the rest of your blog should be perfectly fine. But, when it comes to protecting your website, security is an onion (or Ogre apparently); the more layers, the more of it you got.
The WordPress Codex affirms this sentiment, and recommends that you move your wp-config.php away from its default install location. WordPress.org self-hosted blogs allow you to move your wp-config.php up one level from your blog’s root. That’s all well and good, but for most web servers, one level up from your blog root is still a public_html folder. You’re best off putting it in a folder that’s not a subdirectory of your public_html or WWW folder. That way, the chances of someone reaching it via a web browser or any other HTTP application is virtually nil.
Here’s what you do:
Access your WordPress.org site via an FTP program and navigate to the root.
Download wp-config.php to your hard drive.
Rename it to something other than wp-config.php.
Make it something nonsensical, so someone who stumbles upon it (perhaps someone who has hacked into your shared server via SSH) might not recognize it for what it is. So, instead of calling it “off-site-wordpress-config.php” call it “futurama-fan-fic.php.”
Upload your renamed wp-config.php file to a folder above your public_html or www folder. Personally, I created an entire directory for off-site config files. But it’s probably safer to put them somewhere more random.
The most important thing is to put it outside of your www or public_html folder.
Open up notepad or your other favorite php editor.
Create a new wp-config.php file that contains only the following code:
Replace the directory here with the server location of your renamed wp-config.php file. Note that this isn’t a URL, it’s a path relative to your server location. So, making it:
will NOT work.
As you’ve probably gathered, what this will do is essentially create a “shortcut” to your actual wp-config.php file. So, if someone does hack your wp-config.php file in your WordPress directory, all they’ll find is a file pointing to another file.
For fun, you may want to add a comment that reads:
// Thank you Mario! But our princess is in another castle!
Upload your new wp-config.php file to your WordPress root. Overwrite the old one (you backed it up first, right?).
That’s it! Navigate to your WordPress.org blog root to ensure that it worked.
If you get an error that reads:
Warning: include(/www.yourdomain.com/location/futurama-fan-fic.php’) [function.include]: failed to open stream: No such file or directory in/home/usr/public_html/blog.com/wp-config.php on line 2
Fatal error: Call to undefined function wp() in /wp-blog-header.php on line 14
Then it means that you typed in the server location wrong in your modified wp-config.php file. If you’re having trouble determining the absolute path of your blog, create a .php file with the following code in it:
<?php echo $_SERVER[‘DOCUMENT_ROOT’]; ?>
This will show you the absolute path for whatever directory the file is in and will also illuminate how to move above the public_html folder.
If you get an error message that reads:
There doesn’t seem to be a
wp-config.phpfile. I need this before we can get started. Need more help? We got it. You can create a
wp-config.phpfile through a web interface, but this doesn’t work for all server setups. The safest way is to manually create the file.
Then it means that there’s no wp-config.php file in your WordPress.org root. Double-check that you uploaded the modified wp-config.php to your WordPress.org root or the folder just above it and the renamed wp-config.php file to another location, rather than vice-versa.
Will moving your wp-config.php make your blog bulletproof? Certainly not. But it’s just one of the steps you can take towards making your website or blog more secure. And for me, it helps me sleep better at night—just like putting an extra chain or deadbolt on the door.
Note: Before you go mucking around your file structure, make sure you back things up and feel comfortable with what you’re doing. You could seriously mess up your WordPress blog if you delete the wrong thing. You’ve been warned.