WordPress Security - Secure Your WordPress wp-config Info!
Here is a quick and easy way to add a little more security to your WordPress Blog.
Remember that blog security is often a matter of tweaking little things to make it harder to compromise your blog, and thus encouraging the bad guys to go try some one else's site. Just like a car alarm doesn't actually make taking a car impossible, it makes taking this car a little less attractive. I'm not sure how great it is for your karma to think of it in terms of encouraging them to go hack some one else, but I can tell you it's great for security.
One item of note is that the WordPress file wp-config.php is an open text based file in a web accessible directory. Not only is it web accessible, but it contains the login and password for your blog's database.
Since many other files within the WordPress core code call this file, it is impractical to move the file itself to a more secure location. And since other parts of the code need to read the information in this file to be able to retrieve your blog's data from the database, you can't just encrypt it either.
What you can do, though, is move the sensitive information inside the file to another location.
Here is the code from the wp-config-sample.php distribution file.
[php]
< ?php
// ** MySQL settings ** //
define('DB_NAME', 'putyourdbnamehere'); // The name of the database
define('DB_USER', 'usernamehere'); // Your MySQL username
define('DB_PASSWORD', 'yourpasswordhere'); // ...and password
define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');
// You can have multiple installations in one database if you give each a unique prefix
$table_prefix = 'wp_'; // Only numbers, letters, and underscores please!
// Change this to localize WordPress. A corresponding MO file for the
// chosen language must be installed to wp-content/languages.
// For example, install de.mo to wp-content/languages and set WPLANG to 'de'
// to enable German language support.
define ('WPLANG', '');
/* That's all, stop editing! Happy blogging. */
define('ABSPATH', dirname(__FILE__).'/');
require_once(ABSPATH.'wp-settings.php');
?>
[/php]
Lines 3, 4 and 5 contain the really sensitive info, the info about how to get into your database. Line 11 can also be critical because there are some WordPress Security Exploits that require the attacker to know what your table names are.
But since we don't want to make this too complicated, and it doesn't really matter, from a program standpoint, where this information is stored, so long as it can be retrieved, we'll just grab everything from line 2 through line 11 and cut it from the wp-config.php file.
Now, don't just throw this information away, because we still need it. We are going to create a new file to keep this information in.
to make the new file, follow these steps.
- Open: A new blank text document.
- Type: <?php
- Hit: [enter]
- Paste: The lines 2 - 11 that you cut from the wp-config.php file.
- Hit: [enter]
- Type: ?>
- Hit: [delete] a few times to ensure there are no new lines or spaces at the end of the file.
- Save: the file as config-info.php
That's it. Now you have a new file that contains all of the sensitive information about your WordPress Blog database. it will look like this.
[php]
< ?php
// ** MySQL settings ** //
define('DB_NAME', 'putyourdbnamehere'); // The name of the database
define('DB_USER', 'usernamehere'); // Your MySQL username
define('DB_PASSWORD', 'yourpasswordhere'); // ...and password
define('DB_HOST', 'localhost'); // 99% chance you won't need to change this value
define('DB_CHARSET', 'utf8');
define('DB_COLLATE', '');
// You can have multiple installations in one database if you give each a unique prefix
$table_prefix = 'wp_'; // Only numbers, letters, and underscores please!
?>
[/php]
Now back to the wp-config.php file. We're going to replace those lines we cut with a simple php include(); statement.
Before we can write that include statement, we'll need to figure out where the new file we made will live. In most hosting environments your WordPress will be installed under a folder called 'public_html'. This is the first web accessible folder for your site. Folders 'above' this one are generally not accessible by anyone on the web.
Most hosts have this structure.
/home/username/public_html/
What we want to do is store the new config-info.php in the /username/ level folder (or make a new folder there and store the file in it).
Now that we have saved our config-info.php we have a path to use in an include(); statement.
It will be /home/username/config-info.php
So our new wp-config.php file looks like this.
[php]
< ?php
// Get database info
include('/home/username/config-info.php');
// Change this to localize WordPress. A corresponding MO file for the
// chosen language must be installed to wp-content/languages.
// For example, install de.mo to wp-content/languages and set WPLANG to 'de'
// to enable German language support.
define ('WPLANG', '');
/* That's all, stop editing! Happy blogging. */
define('ABSPATH', dirname(__FILE__).'/');
require_once(ABSPATH.'wp-settings.php');
?>
[/php]
This just tells wp-config.php to grab the info from the new file so that the file that called it in the first place will have access to it. Save your new wp-config.php file and you are done.
There is nothing here that's NSA / Fort Knox level security, but it really is these little things that add up and make it harder, and thus less desirable, to attack your blog.
What did you think of this article? Was it helpful? Do you already do this? Do you plan to implement it? Hit the comment form below and let me know! if you found this post helpful please consider rating it, or sharing it with others.
Trackback URL for this post:
Bookmark & Share:
[...] name (just in case),
[...] name (just in case), edited the –sample file, and saved the –sample file as the config file. Read this to learn about the new security [...]
[...] Secure your
[...] Secure your wp-config.php file, which contains your database username and password. Dane Morgan has this technical guide on to “move the sensitive information inside the file to another [...]
Thanks for sharing...
Thanks for sharing...
Thank you, this information
Thank you, this information was very useful.
You can never be truly secure, but a little
obfuscation can never hurt.
At the very least this can stop most bots from
getting your config information.
-Phil
[...] PLAIN TEXT [...]
[...] PLAIN TEXT [...]
[...] Protect your wp-config
[...] Protect your wp-config file. [...]
Tony, no single 'fix' is
Tony, no single 'fix' is going to completely secure your WordPress installation. There are many fronts on which WordPress (or any other online software platform for that matter) can be attacked and there are people who spend their waking hours seeking out those flaws.
The goal is to develop a security consciousness and to add security measures when they are available. Also upgrading as soon as possible when a new version is released.
The goal here is to make it more difficult, by removing the easy stuff and the commonly known stuff. Most WordPress blogs are hacked by script kiddies who read about vulnerabilities after the fact and then use automated tools to hack them. The guys who actually find and write the attacks are typically not interested in everyday average blogs.
I tried this and still got
I tried this and still got hacked. I just commented out my blogroll until WP fixes it, will they??
Nice idea. Shame there's no
Nice idea. Shame there's no way to encrypt that data, it wasn't until today that I realized it wasn't...
db
[...] um artigo interessante
[...] um artigo interessante aqui, e pelas dicas os passos [...]
I too have just been
I too have just been knackered by an attack. I've set up as you've done, so thanks for that. In reply to Gaurav Akrani, I found chmod 640 didn't work. However, the minimum I can get away with is 004. Perhaps I'm reading this chmod stuff back to front?
[...] Dane, by default,
[...] Dane, by default, WordPress becomes very attractive to hackers. Dane also gives a solution of how moving some sensitive info out of your wp-conifg.php file can improve your WordPress [...]
Dane, The search box will
Dane,
The search box will do well here :)- you are my #1 source of information on WordPress Troubleshooting!
Just one note, in case there is some one else is as slow as I am :)
/home/username/public_html/
username- should be replaced with actual user name
That's right. You can name
That's right. You can name the file anything you want to accommodate multiple blogs.
I'm working out a new theme, similar to the one on danemorgan.com right now, and there will be a search box in it. ;)
Hi Dane, A suggestion. Put
Hi Dane,
A suggestion. Put a search box on your blog. I need to leave the site and go to Google in order to locate this post. :)
Just a quick question. Presume you have multiple blogs in on account, I am guessing it does not matter what you name the file that contains the sensitive info, right?
The reason I am asking is that I want to place five files in the same directory.
Good catch Stephan! Thanks
Good catch Stephan! Thanks for pointing that out, I'm correcting it now.
Dane, great call! I've
Dane, great call! I've always included the connection details in a file outside the public folder, but I haven't done it with my WordPress site (yet). Everyone should be aware of this, so I'll write your post up when I have time.
One note: above you say "Paste: The lines 2 -4 that you cut from the wp-config.php file.". I think you mean lines 2 - 11 :)
Hope the change went well
Hope the change went well for you Maurice. Let me know how it went.
Good point Gaurav. CHMODDING files to the least permissive permissions they need is always a good idea.
Cool Info Also CHMOD
Cool Info
Also CHMOD wp-config.php to 640.
This is also good feature to tight the security
Very useful for non
Very useful for non technical folks like me and something I intend to implement in the next day or so.
I didn't realize it was that easy to find such sensitive information and as you say, every little helps.
Good article nice and clearly laid out, thank you.
Post new comment