• wp-config.php resides in the same directory as index.php, and MUST be readable by the PHP engine. Database access data is stored in this file, so it needs to be hidden from the outside world.
    There are several ways to do it but whatever method you use, I think it’s better to store this data in a place that cannot be accessed by the webserver itself (there should be no mapping of this location in the webserver configuration).
    I implemented this as follows:

    1. Store the database data in a separate file, stored on a location without mapping in the server configuration, so the webserver cannot access it – but the PHP engine can.
    2. remove this data from wp-config, instead add this statement:
    require_once ('the db-access file');

    If wp-config.php is now retrieved showing the text, the database access data is not shown, and since the mapping to this data is not within the server’s configuration, it cannot be accessed that way.

Viewing 1 replies (of 1 total)
  • Keep in mind this is called ‘security through obscurity,’ and though it can make you feel more secure, the likelihood is that a person able to access and read wp-config.php as a pure text file would probably have access to this “place that cannot be accessed by the webserver” as well.

Viewing 1 replies (of 1 total)
  • The topic ‘method to secure database data’ is closed to new replies.