Are passwords safe in functions.php?

  • I have succeeded in writing a bit of php that pulls data from another (NOT WORDPRESS) MySQL database, and incorporates that data into my WordPress pages. All good.

    But in order to do that I had to code the db name, admin username & admin password into my functions.php file
    // Create connection
    $servername = “localhost”;
    $username = “myusername”;
    $password = “mypassword”;
    $dbname = “myusername”;
    $conn = new mysqli($servername, $username, $password, $dbname);
    etc…

    It all works, but this has me nervous that if anyone could view my functions.php file, then they would have my database admin username & password.

    I’m a relative newbie at wordpress, php & mysql. How can I hard code a db admin username & password into a php file, yet protect this from prying eyes?

    I’ve done a bit of research on the internet, including reading this – https://www.artofblog.com/wordpress-security ; but I don’t feel that I’ve got an answer.

    Thanks in advance

Viewing 2 replies - 1 through 2 (of 2 total)
  • catacaustic

    (@catacaustic)

    It dpeends on who you think will be able to see it. There’s a couple of possibilities…

    • The gernal public – If the values are in a PHP file and are not echo’d anywhere, then they are safe. The server parses all PHP files before they are output so that only the HTML code is shown. Anything that’s normal PHP code, including variables won’t be shown as that’s all procesed before anythings sent back to the user.
    • Other users on your hosting server – Possible, but very unlikely with modern hosting server platforms. Pretty much every commercial hosting server these days doesn’t allow users to view, read, write, etc other users files. The only exception to that is if you set up the file permissions wrong. If you haven’t set anything you should be fine, it’s only when you go playing around with this that they actually break.
    • Hackers – If a hacker can see your files, you’ve got more to worry about than ahard-coded password!! Clean up your site, block wich ever hole they got in through and change the password for that database.

    Remember that WordPress not only hard-codes the main database settings in your wp-config.php file, it also sets these using define() so they are always available everywhere thorugh the script. If there was an issue with it, the way that WordPress is running now would be no good, so frommy point of view there’s really not much to be concerned about.

    Thread Starter KimDW

    (@kimdw)

    Thanks Catacaustic

    A nice clear explanation.

    It sounds like I need to do the general security steps outlined in other documentation/posts, and that should take care of the specific question – passwords in php files – that I had.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Are passwords safe in functions.php?’ is closed to new replies.