WordPress Security - Secure Your WordPress wp-config Info!

Here is a quick and easy way to add a little more security to your WordPress Blog.

Remember that blog security is often a matter of tweaking little things to make it harder to compromise your blog, and thus encouraging the bad guys to go try some one else's site. Just like a car alarm doesn't actually make taking a car impossible, it makes taking this car a little less attractive. I'm not sure how great it is for your karma to think of it in terms of encouraging them to go hack some one else, but I can tell you it's great for security.

One item of note is that the WordPress file wp-config.php is an open text based file in a web accessible directory. Not only is it web accessible, but it contains the login and password for your blog's database.

Since many other files within the WordPress core code call this file, it is impractical to move the file itself to a more secure location. And since other parts of the code need to read the information in this file to be able to retrieve your blog's data from the database, you can't just encrypt it either.

What you can do, though, is move the sensitive information inside the file to another location.

Here is the code from the wp-config-sample.php distribution file.

PLAIN TEXT
PHP:
  1. <?php
  2. // ** MySQL settings ** //
  3. define('DB_NAME', 'putyourdbnamehere');    // The name of the database
  4. define('DB_USER', 'usernamehere');     // Your MySQL username
  5. define('DB_PASSWORD', 'yourpasswordhere'); // ...and password
  6. define('DB_HOST', 'localhost');    // 99% chance you won't need to change this value
  7. define('DB_CHARSET', 'utf8');
  8. define('DB_COLLATE', '');
  9.  
  10. // You can have multiple installations in one database if you give each a unique prefix
  11. $table_prefix  = 'wp_';   // Only numbers, letters, and underscores please!
  12.  
  13. // Change this to localize WordPress.  A corresponding MO file for the
  14. // chosen language must be installed to wp-content/languages.
  15. // For example, install de.mo to wp-content/languages and set WPLANG to 'de'
  16. // to enable German language support.
  17. define ('WPLANG', '');
  18.  
  19. /* That's all, stop editing! Happy blogging. */
  20.  
  21. define('ABSPATH', dirname(__FILE__).'/');
  22. require_once(ABSPATH.'wp-settings.php');
  23. ?>

Lines 3, 4 and 5 contain the really sensitive info, the info about how to get into your database. Line 11 can also be critical because there are some WordPress Security Exploits that require the attacker to know what your table names are.

But since we don't want to make this too complicated, and it doesn't really matter, from a program standpoint, where this information is stored, so long as it can be retrieved, we'll just grab everything from line 2 through line 11 and cut it from the wp-config.php file.

Now, don't just throw this information away, because we still need it. We are going to create a new file to keep this information in.

to make the new file, follow these steps.

  • Open: A new blank text document.
  • Type: <?php
  • Hit: [enter]
  • Paste: The lines 2 - 11 that you cut from the wp-config.php file.
  • Hit: [enter]
  • Type: ?>
  • Hit: [delete] a few times to ensure there are no new lines or spaces at the end of the file.
  • Save: the file as config-info.php

That's it. Now you have a new file that contains all of the sensitive information about your WordPress Blog database. it will look like this.

PLAIN TEXT
PHP:
  1. <?php
  2. // ** MySQL settings ** //
  3. define('DB_NAME', 'putyourdbnamehere');    // The name of the database
  4. define('DB_USER', 'usernamehere');     // Your MySQL username
  5. define('DB_PASSWORD', 'yourpasswordhere'); // ...and password
  6. define('DB_HOST', 'localhost');    // 99% chance you won't need to change this value
  7. define('DB_CHARSET', 'utf8');
  8. define('DB_COLLATE', '');
  9.  
  10. // You can have multiple installations in one database if you give each a unique prefix
  11. $table_prefix  = 'wp_';   // Only numbers, letters, and underscores please!
  12. ?>

Now back to the wp-config.php file. We're going to replace those lines we cut with a simple php include(); statement.

Before we can write that include statement, we'll need to figure out where the new file we made will live. In most hosting environments your WordPress will be installed under a folder called 'public_html'. This is the first web accessible folder for your site. Folders 'above' this one are generally not accessible by anyone on the web.

Most hosts have this structure.

/home/username/public_html/

What we want to do is store the new config-info.php in the /username/ level folder (or make a new folder there and store the file in it).

Now that we have saved our config-info.php we have a path to use in an include(); statement.

It will be /home/username/config-info.php

So our new wp-config.php file looks like this.

PLAIN TEXT
PHP:
  1. <?php
  2. // Get database info
  3. include('/home/username/config-info.php');
  4.  
  5. // Change this to localize WordPress.  A corresponding MO file for the
  6. // chosen language must be installed to wp-content/languages.
  7. // For example, install de.mo to wp-content/languages and set WPLANG to 'de'
  8. // to enable German language support.
  9. define ('WPLANG', '');
  10.  
  11. /* That's all, stop editing! Happy blogging. */
  12.  
  13. define('ABSPATH', dirname(__FILE__).'/');
  14. require_once(ABSPATH.'wp-settings.php');
  15. ?>

This just tells wp-config.php to grab the info from the new file so that the file that called it in the first place will have access to it. Save your new wp-config.php file and you are done.

There is nothing here that's NSA / Fort Knox level security, but it really is these little things that add up and make it harder, and thus less desirable, to attack your blog.

What did you think of this article? Was it helpful? Do you already do this? Do you plan to implement it? Hit the comment form below and let me know! if you found this post helpful please consider rating it, or sharing it with others.

Popularity: 38% [?]

Like this article?
Save to del.icio.us Save to Google Bookmarks My Rss Feed
July 19, 2007 @ 8:47 pm
Filed under WordPress Security
Tagged with:
Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • del.icio.us
  • blogmarks
  • BlogMemes
  • co.mments
  • Furl
  • Netscape
  • Reddit
  • TailRank
Add Me To Your Technorati Favorites Add To Technorati Favorites

It's easy to link to this post! Just copy and paste!

Related Posts:

Comments

Thank you! I appreciate your time and Thoughts!
  1. 1: Maurice (TheCaymanHost) Says:
    August 11th, 2007 at 6:44 pm

    Very useful for non technical folks like me and something I intend to implement in the next day or so.

    I didn’t realize it was that easy to find such sensitive information and as you say, every little helps.

    Good article nice and clearly laid out, thank you.

  2. 2: Gaurav Akrani Says:
    August 30th, 2007 at 5:12 am

    Cool Info

    Also CHMOD wp-config.php to 640.

    This is also good feature to tight the security

  3. 3: Dane Morgan Says:
    September 1st, 2007 at 9:33 pm

    Hope the change went well for you Maurice. Let me know how it went.

    Good point Gaurav. CHMODDING files to the least permissive permissions they need is always a good idea.

  4. 4: Stephen Cronin Says:
    September 10th, 2007 at 7:53 pm

    Dane, great call! I’ve always included the connection details in a file outside the public folder, but I haven’t done it with my WordPress site (yet). Everyone should be aware of this, so I’ll write your post up when I have time.

    One note: above you say “Paste: The lines 2 -4 that you cut from the wp-config.php file.”. I think you mean lines 2 - 11 :)

  5. 5: Dane Morgan Says:
    September 10th, 2007 at 11:03 pm

    Good catch Stephan! Thanks for pointing that out, I’m correcting it now.

  6. 6: Vlad Says:
    October 12th, 2007 at 8:54 am

    Hi Dane,

    A suggestion. Put a search box on your blog. I need to leave the site and go to Google in order to locate this post. :)
    Just a quick question. Presume you have multiple blogs in on account, I am guessing it does not matter what you name the file that contains the sensitive info, right?

    The reason I am asking is that I want to place five files in the same directory.

  7. 7: Dane Morgan Says:
    October 12th, 2007 at 9:01 pm

    That’s right. You can name the file anything you want to accommodate multiple blogs.

    I’m working out a new theme, similar to the one on danemorgan.com right now, and there will be a search box in it. ;)

  8. 8: Vlad Says:
    October 15th, 2007 at 11:43 am

    Dane,

    The search box will do well here :)- you are my #1 source of information on WordPress Troubleshooting!

    Just one note, in case there is some one else is as slow as I am :)
    /home/username/public_html/

    username- should be replaced with actual user name

  9. 9: Strangely Says:
    October 23rd, 2007 at 8:04 pm

    I too have just been knackered by an attack. I’ve set up as you’ve done, so thanks for that. In reply to Gaurav Akrani, I found chmod 640 didn’t work. However, the minimum I can get away with is 004. Perhaps I’m reading this chmod stuff back to front?

  10. 10: David Bradley Says:
    November 19th, 2007 at 11:22 am

    Nice idea. Shame there’s no way to encrypt that data, it wasn’t until today that I realized it wasn’t…

    db

  11. 11: Tony Reno Says:
    November 30th, 2007 at 11:30 am

    I tried this and still got hacked. I just commented out my blogroll until WP fixes it, will they??

  12. Comment by Dane Morgan 12: Dane Says:
    December 2nd, 2007 at 7:33 am

    Tony, no single ‘fix’ is going to completely secure your WordPress installation. There are many fronts on which WordPress (or any other online software platform for that matter) can be attacked and there are people who spend their waking hours seeking out those flaws.

    The goal is to develop a security consciousness and to add security measures when they are available. Also upgrading as soon as possible when a new version is released.

    The goal here is to make it more difficult, by removing the easy stuff and the commonly known stuff. Most WordPress blogs are hacked by script kiddies who read about vulnerabilities after the fact and then use automated tools to hack them. The guys who actually find and write the attacks are typically not interested in everyday average blogs.

  13. 13: Philip Molloy Says:
    February 29th, 2008 at 10:19 am

    Thank you, this information was very useful.
    You can never be truly secure, but a little
    obfuscation can never hurt.
    At the very least this can stop most bots from
    getting your config information.

    -Phil

  14. 14: Cash Get Says:
    March 18th, 2008 at 3:34 pm

    Thanks for sharing…

Trackbacks/Pingbacks

  1. One Of My WordPress Sites Was Hacked- And I Thought It Would Never Happen To Me | My Affiliate Journey - Affiliate Marketing Blog by Vlad
    [...] Dane, by default, WordPress becomes very attractive to hackers. Dane also gives a solution of how moving some sensitive info out of your wp-conifg.php file can improve your WordPress [...]
  2. We Design It » Wordpress Hackeado - Security Tips
    [...] um artigo interessante aqui, e pelas dicas os passos [...]
  3. Security: bulletproof your Wordpress blog | Design daily news
    [...] Protect your wp-config file. [...]
  4. my learns, my page, my post. » Blog Archive » security issue in wordpress
    [...] PLAIN TEXT [...]
  5. BlogProtector » Blog Archive » Bullet-proof your Wordpress blog
    [...] Secure your wp-config.php file, which contains your database username and password. Dane Morgan has this technical guide on to “move the sensitive information inside the file to another [...]

Leave a Reply

Or send a Trackback to this post.

You Comment, I Follow. I value your comments and your links are dofollow links.

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>