Published by John Hoff on 07 Sep 2008 at 06:08 pm
Securing Securing Your WordPress Blog: Post 6 - Protecting The wp-config.php File
 |
Imagine if there were a file where anyone could go to and easily see such things as your:
- Password
- Database Name
- Server Name
- Information About Your Database
Doesn’t sound like the kind of file you’d want just laying around easily accessible, does it?
Well I got news for you, there is such a file that exists, it’s called wp-config.php.
By default, web browsers shouldn’t be able to display the contents of a .php file, however, as we all know, nothing is set in stone. Obviously, this is an important file you are going to want to protect if you run a blog powered by WordPress. Here’s a quick way to limit access to your wp-config.php file using .htaccess.
Protect wp-config.php With .htaccess
As we saw in Post 4: Setting Up .htaccess in this series, the .htaccess file is vital to the security of your website. It’s also relatively easy to set up - just create a file and name it .htaccess and then paste in some code.
Here’s a little more code to drop into your .htaccess file to restrict access to this critical file:
Here’s the code you can copy and paste from:
# to protect the .htaccess file itself:
<Files .htaccess>
order deny,allow
deny from all
</Files>
# to protect wp-config.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>
Try a little test. In your browser, go to the path of your wp-config.php file. If WordPress is installed in your root directory it should look something like this:
http://your-site.com/wp-config.php
You’ll probably see a blank page when you go there. That’s good, but we could improve. Once you set up your .htaccess file, it will return a restricted access message like mine does.
Bonus Tip* - Restrict Access To Your Plugins Directory
As I will touch on in the next post, plugins can provide a back door access to your blog’s files. Therefore, it is wise to limit who has access to your /plugins directory and its visibly.
Try going to http://your-blog.com/wp-content/plugins and see if the page which pops up lists all your plugins.
If you’re new to this, I bet that was an eye-opener. Here’s how to restrict access to that folder and even more importantly, better protect your /wp-content directory. Create a .htaccess file inside your /wp-content directory and drop in the following code.
NOTE: This may cause some plugins to stop working. For example, the Ajax Edit Comments plugin will not work with this .htaccess file.
Here’s the code you can copy and paste from:
<Files .htaccess>
order allow,deny
deny from all
</Files>
Order Allow,Deny
Deny from all
<Files ~ “\.(css|jpe?g|htm|png|gif|js|xsl)$”>
Allow from all
</Files>
If you decide to implement the above .htaccess file to better secure your /wp-content folder and it causes a plugin to stop working, you’ll have to ask yourself, is the plugin more important than this added layer of security.
For me, yes.
Related Posts
- Securing Your WordPress Blog: Post 4 - Setting Up .htaccess
- Fluffy’s Guide To Securing Your WordPress Blog - Post 1
- Securing Your WordPress Blog: Post 5 - What To Do If Your Blog Is Cracked
- Securing Your WordPress Blog: Post 7 of 7 - Final Thoughts
- Securing Your WordPress Blog: Post 3 - Obscuring Your Database Tables
|
|
