Is a request with wp-config.php in the query string ever legit ?

  • Is there any instance in which the config file is requested this way ?

    GET /force-download.php?file=../wp-config.php
    GET /wp-content/themes/epic/includes/download.php?file=wp-config.php
    GET /wp-content/plugins/abtest/abtest_admin.php?action=../../../wp-config.php

    These specific examples I listed “here” are in fact some hacker looking for exploitable plugins. Does WP itself do this anywhere … or am I correct in surmising that neither WP nor any legit plugin would cuase requests like this..
    or at least if they did, it would only be accessible under /wp-admin/

    GET /wp-admin/tools.php?page=backup_manager&download_backup_file=../wp-config.php

Viewing 4 replies - 1 through 4 (of 4 total)

  • I don’t think it needs to be downloaded as above as it’s executed on the web server when it’s connecting to your WordPress website.

    Like you say it would be a hacker looking for the information in that file like gaining access to your database.

    With plugins the database connection would already be set up and if the plugin had access to this file then the programmer or hacker would have you details so I wouldn’t think plugins would need to access or download this file.

    You are right, all of those are hacker scritps looking for known vunerabilities to download your config file.

    WordPress doesn’t do a public call over http to the config file. It uses PHP’s internal require_once() function, and that is only done on the file system. Anything that’s called over http should never include that file like that.

    Thread Starter nonwpuser

    (@nonwpuser)

    Awesome. Thank you.
    And what about error_log ?
    Is it “read into” by WP then displayed internally or does a site owner generally pull it up by browser:
    https://mysite.tld/error_log

    Nope. Again that’s an exernal script searching for vunerabilities. Error log files can have some information in them that can be useful.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Is a request with wp-config.php in the query string ever legit ?’ is closed to new replies.