$conf, $runtime; function_exists('chdir') AND chdir(APP_PATH); $r = 'mysql' == $conf['cache']['type'] ? website_set('runtime', $runtime) : cache_set('runtime', $runtime); } function runtime_truncate() { global $conf; 'mysql' == $conf['cache']['type'] ? website_set('runtime', '') : cache_delete('runtime'); } register_shutdown_function('runtime_save'); ?>htaccess - How do I test to ensure that my wp-config file is protected?|Programmer puzzle solving

Programmer puzzle solving

    最新消息:Welcome to the puzzle paradise for programmers! Here, a well-designed puzzle awaits you. From code logic puzzles to algorithmic challenges, each level is closely centered on the programmer's expertise and skills. Whether you're a novice programmer or an experienced tech guru, you'll find your own challenges on this site. In the process of solving puzzles, you can not only exercise your thinking skills, but also deepen your understanding and application of programming knowledge. Come to start this puzzle journey full of wisdom and challenges, with many programmers to compete with each other and show your programming wisdom! Translated with DeepL.com (free version)
    你的位置: HOME>matter>htaccess - How do I test to ensure that my wp-config file is protected?

    htaccess - How do I test to ensure that my wp-config file is protected?

    matteradmin9PV0评论

    Since order allow,deny is deprecated in 2.4 I wanted to rewrite the rules in my .htaccess file to use the new rules. Previously I was using:

    <files wp-config.php>
    order allow,deny
    deny from all
</files>

    Which I've rewritten to:

    <FilesMatch "wp-config.php">
    Require all denied
</FilesMatch>

    How do I confirm that my method is actually working? I'm not certain how hackers might gain access to this file so I don't know how to test it.

    Since order allow,deny is deprecated in 2.4 I wanted to rewrite the rules in my .htaccess file to use the new rules. Previously I was using:

    <files wp-config.php>
    order allow,deny
    deny from all
</files>

    Which I've rewritten to:

    <FilesMatch "wp-config.php">
    Require all denied
</FilesMatch>

    How do I confirm that my method is actually working? I'm not certain how hackers might gain access to this file so I don't know how to test it.

    • htaccess
    • security
    • apache
    Share Improve this question edited Nov 4, 2018 at 12:56 Krzysiek Dróżdż 25.6k9 gold badges53 silver badges74 bronze badges asked Nov 2, 2018 at 14:43 jarrodwhitleyjarrodwhitley 1231 silver badge10 bronze badges 3
    • 1 What is this supposed to help against? If you can answer that, you can test it – kero Commented Nov 2, 2018 at 14:54
    • To be honest, I'm not certain. My boss told me that it needed to be protected. The method using Allow and Order was written by someone else before I started working here. All I know is that hackers are able to (somehow) gain access to an unprotected file. I've tried researching how they do it, but I'm coming up with nothing. – jarrodwhitley Commented Nov 2, 2018 at 14:59
    • 1 This is not really WordPress specific, you might have better luck at ServerFault or Security. As far as I understand this is done to, in case of misconfiguration of the server, keep the wp-config.php private. My personal opinion: if the server is misconfigured, why should .htaccess still work. So we don't do this, but have the file have CHMOD 0600 (-rw-------). – kero Commented Nov 2, 2018 at 15:06
    Add a comment  | 

    2 Answers 2

    Reset to default 1

    The old method works for me, and any requests result in a 403 status response instead of execution of the php script. I've not checked your 2nd method, but if it works it will similarly respond with 403 denied/forbidden.

    To test you simply have to insert the URL of your "wp-config.php" in the address bar of your browser e.g. http://example/wp-config.php . Depending on browser and/or sites custom 403 settings your browser will display "forbidden", "access denied" etc.

    Note you can also move wp-config.php one directory up from where Wordpress installed it - and if this is then above Webroot/public_html it will no longer be "directly" accessible by hackers. More on this here Is moving wp-config outside the web root really beneficial?

    I discovered that by looking at my server's error logs I could see where the server denied permission to me when I attempted to visit http://example/wp-config.php

    It looked like this:

    [Fri Nov 02 17:52:22.222222 2018] [authz_core:error] [pid 222] [client 22.222.222.222:22222] AH01630: client denied by server configuration: /nas/wp/www/sites/example/wp-config.php

    Articles related to this article

    Post a comment

    comment list (0)

    1. No comments so far