Security Hack WordPress – wp-config.php Protection

You can exclude external access to your WordPress wp-config.php file moving it outside your WordPress root directory. This tip works with WordPress starting from 2.6 release as reported by WordPress Codex.

What do you have to do if your ISP does not allow you to store files to a higher level than your WordPress root directory? Read .htaccess WordPress – wp-config.php Protection to get the solution!

What do you have to do if your ISP allows you to store files to a higher level than your WordPress root directory but you have more than a blog on the same inside level? Well, you reached the right place!

Security hack described below works with WordPress starting from 2.6 release as reported by WordPress Codex.

The idea started while I was reading this article, so I decided to improvement it.

You have to copy and duplicate one file:

/wp-config.php

and you have to modify another one file:

/wp-load.php

1. Backup

so, first of all, backup them and don’t forget to check what you did!

2. Copy, Duplicate & Rename

Copy your WordPress wp-config.php outside your WordPress root Directory then duplicate and rename it. Now, outside your WordPress directory, you should have:

…
wp-config.php
blogname-config.php
….

3. Modify wp-load.php

You have to modify two lines in your WordPress wp-load.php file. Below is how it looks now, before to apply the security patch:

…
if ( file_exists( ABSPATH . ‘wp-config.php’) ) {
 /** The config file resides in ABSPATH */
 require_once( ABSPATH . ‘wp-config.php’ );
} elseif ( file_exists( dirname(ABSPATH) . ‘/wp-config.php’ ) && ! file_exists( dirname(ABSPATH) . ‘/wp-settings.php’ ) ) {
 /** The config file resides one level above ABSPATH but is not part of another install*/
 require_once( dirname(ABSPATH) . ‘/wp-config.php’ );
} else {
….

Below is how it looks after you applied the security patch (the lines in bold are modified lines):

…
if ( file_exists( ABSPATH . ‘wp-config.php’) ) {
 /** The config file resides in ABSPATH */
 require_once( ABSPATH . ‘wp-config.php’ );
} elseif ( file_exists( dirname(ABSPATH) . ‘/blogname-config.php’ ) && ! file_exists( dirname(ABSPATH) . ‘/wp-settings.php’ ) ) {
 /** The config file resides one level above ABSPATH but is not part of another install*/
 require_once( dirname(ABSPATH) . ‘/blogname-config.php’ );
} else {
….

4. Delete wp-config.php files

Now you can delete yours WordPress wp-config.php files: one of them is inside your WordPress root directory, the other is outside your WordPress root directory. Don’t delete your brand new blogname-config.php file!

That’s all!

Comments

• Categories

  • CMS (7)
    • phpLD (4)
    • WordPress (3)
  • SEO (4)

• Popular Tags

  Backlinks phpLD 2.x phpLD 3.x phpLD mods Security Tips & Tricks White Hat WordPress Patches

• Archives

  • November 2009 (5)
  • September 2009 (13)
  • August 2009 (1)