WordPress showing sensitive information on error page

  • Hi,
    When there is a database error, WordPress is showing this error message to all users:

    Error establishing a database connection
    This either means that the username and password information in your wp-config.php file is incorrect or we can’t contact the database server at <server name>. This could mean your host’s database server is down.

    Are you sure you have the correct username and password?
    Are you sure you have typed the correct hostname?
    Are you sure the database server is running?
    If you’re unsure what these terms mean you should probably contact your host. If you still need help you can always visit the WordPress Support Forums.

    I can see the server’s domain name in the error and it is extremely insecure. How can I change this message?

    Please note that WP_DEBUG and error display is disabled in wp-config.php

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    The server’s domain name is not sensitive information. Your database is protected, at the very least, by a userID and password, and may be subject to firewall rules, depending on your hosting situation.

    Thread Starter userpqr

    (@userpqr)

    Hi Steven,

    Thanks for the reply. One can derive the server’s actual IP from the shown information and that’s why I am worried. Please note that I use a proxy server and the server’s IP is protected. But, this error message is showing that information. Is there any way I can change the error message?

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    Not as far as I know. If you’re that concerned, set a firewwall rule on your your DB server to allow connections only from the IP address of your (hidden) server.

    Thread Starter userpqr

    (@userpqr)

    Revealing server’s IP address is a major security concern. For example, an attacker can spoof the IP address and launch a cyber attack. How can I request to change this message?

    Moderator Steven Stern (sterndata)

    (@sterndata)

    Volunteer Forum Moderator

    I’ve looked at the code in wp-includes/wp-db.php and this does not seem to be modifiable. Again, if you are that concerned, put a firewall up on your DB server.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘WordPress showing sensitive information on error page’ is closed to new replies.