Open source training & tutorials from experienced, passionate people
By A Web Design
One challenge in WordPress is ensuring that certain PHP files which are normally found in public_html and contain executable code or confidential data are protected from direct Internet access.
The WordPress configuration file contains the MySQL database name, username, database password, your WordPress website authentication keys and other sensitive information.
With this information, a hacker gets access to every piece of content on your WordPress blog, giving them free access to delete your posts, insert malicious code, back link to illegal porn sites, or do whatever else they want to do to desecrate your website.
By default, wp-config.php sits in the same folder as your WordPress blog. So, if the homepage of your blog is at http://www.mysite.com, your WordPress configuration file will be placed in the root directly i.e. http://www.mysite.com/wp-config.php.
If your WordPress Blog is in a folder on your website i.e. http://www.mysite.com/blog the your WordPress configuration file path will be http://www.mysite.com/blog/wp-config.php
The following method seems to be the simplest and most elegant way to protect read-only files that, for whatever reason, must be stored in public_html.
In this example, the file configuration.php, perhaps the most confidential file of any WordPress site is being protected.
Using this method, even if the Web server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file.
Access your WordPress driven website via an FTP program and navigate to its root floder.
Download wp-config.php to your hard drive.
Rename it to whatever you want. The name dsscon.php is used in this example.
Make it something nonsensical, so someone who stumbles upon it might not recognize it for what it is. So, instead of calling it “off-site-wp-config.php” call it “dsscon.php.”
Now access your website via an FTP program and create a folder name “dsscon12” outside the public_html folder. After that upload your WordPress configuration file i.e. dsscon.php into the folder name “dsscon12”.
At this point of time, if your try to access your WordPress Blog, WordPress thinks that you have not yet created your configuration file, so it will ask you to create one as shown in diagram 1
Diagram 1
Don’t worry you need to pass the path of the configuration file to WordPress.
For that you need to open wp-load.php and search for the below codespec
Diagram 2
Replace the above Codespec with the one below:
Diagram 3
In the above Codespec we are just replacing the wp-config.php file to the path where the configuration file is place i.e. outside the root directly.
Now you can open a Browser and type your website name and your website will be running as before with its configuration file hidden away from all prying eyes.
Please wait...