Can plugins read the credentials from wp-config.php?

  • Hello,

    As the title suggests, I’m wondering if it’s possible for a plugin to access the wp-config.php constants like DB_* or any of the SALT/KEY auth keys?

    • This topic was modified 3 years, 5 months ago by Jan Dembowski. Reason: Moved to Fixing WordPress, this is not an Everything else WordPress topic
Viewing 3 replies - 1 through 3 (of 3 total)
  • Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    Moved to Fixing WordPress, this is not an Everything else WordPress topic.

    Can plugins read the credentials from wp-config.php?

    Yes. Is there a concern about that you are worried about?

    Any file readable by WordPress can be read by a plugin or theme running on that same WordPress installation. Although they don’t need to as all of that is defined or set as PHP variables when the wp-config.php file is read.

    Why bother reading the file when you can just use the values set in those files?

    Thread Starter alexwillo

    (@alexwillo)

    Yes, by read, I meant accessing these variables.

    Is there a concern about that you are worried about?

    Not from a specific plugin but in general, isn’t it a big risk?

    Hi @alexwillo – The plugins can read all data and files. Just like any 3rd party libraries(e.g., Node.js and Python packages) are used in the websites. You need to trust the plugins/packages, or you can develope all functionalities yourself. There are always issues with security. It’s necesssary to scan the websites regualarly.

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Can plugins read the credentials from wp-config.php?’ is closed to new replies.