Password in wp-config. Dangerous?

The “Hardening WordPress” page of the Codex contains a section on “Securing wp-config.php”. It includes changing the permissions to 440 or 400. You can also move the wp-config file one directory up from the root if your server configuration allows for that.

Of course there is some danger to having a file with the password like this if someone gets access to your server, but, honestly, at that point they already are in your server.

Finally, you don’t have much of a choice. I’ve never seen an alternate means of configuring WordPress. You can lock it down as much as you can, but this is how WordPress is built, and if it were a serious security threat, they wouldn’t do it that way.

Related Posts:

  1. Best practice for versioning wp-config.php?
  2. What’s the difference between WP_MEMORY_LIMIT and WP_MAX_MEMORY_LIMIT?
  3. Turn Off Automatic Trash Deletion?
  4. How can I change preview URL?
  5. Override the wp_siteurl and wp_home not work
  6. Changing WP_CONTENT_DIR and WP_CONTENT_URL in wp-config.php does not register?
  7. Missing a temporary folder despite settings in wp-config.php
  8. How to use live images on local install?
  9. Syntax of FS_CHMOD_DIR and FS_CHMOD_FILE
  10. WordPress PHP error handling and reporting in production environment
  11. WP_MEMORY_LIMIT didn’t work in wp-config
  12. Fatal error: Allowed memory size of 41943040 bytes exhausted (tried to allocate 20480 bytes)
  13. How to set up gmail SMTP in WordPress
  14. error:-Cannot modify header information – headers already sent by
  15. wp-config.php file permissions
  16. How to update WordPress from the latest trunk
  17. how to use is_admin in wp-config.php
  18. Locked out of WordPress Site Admin after enabling Force SSL on WordPress Https (SSL)
  19. Set wp-content folder to Dropbox folder
  20. Including a 3rd party library in WordPress which needs to be accessible by wp-config
  21. wp-config.php being deleted
  22. Get WP CLI to hide debug warnings and notices in JSON output, same setting as website
  23. Installation Issue WordPress locally – The file ‘wp-config.php’ already exists
  24. What is this file: wp-config-wpe.php?
  25. enable SFTP via SSH keys in wordpress
  26. html lang=”” instead of lang=”en-us” – why?
  27. Why do I get a WAMP homepage when clicking on specific website’s URL on LocalHost?
  28. Creating the wp-config.php file manually
  29. What Does this Code Snippet Do?
  30. WP_Debug not displaying anything
  31. Can I delete `wp-config-sample.php` after installing and configuring WordPress?
  32. How to reliably set file/folder permissions?
  33. Multiple wp-config.php files in one home directory
  34. Why edits to wp-config.php must come before “That’s all” comment
  35. error log cluttered with undefined DB_USER wp-admin/setup-config.php
  36. Is it possible to override the ABSPATH constant
  37. How to stop fatal error when loading theme template file directly
  38. Should I change wp-config for SSL?
  39. Out of memory errors : how best to track them down
  40. Redefine cookie domain for subdomains
  41. multiple language directories
  42. Error in database connection [closed]
  43. Update wp-config.php and lost pages
  44. Conflict with wp_homeurl, wp_siteurl and admin interface settings
  45. error messages in dashboard login
  46. where should I write constants in wordpress?
  47. Issues copying site into local machine
  48. Autosave interval remains default despite wp-config.php defines
  49. Carriage Return control character (^M) found in wp-config-sample.php
  50. Need help fixing my wp-config file [closed]
  51. Why was my new WordPress installation’s config page publicly viewable when first installed?
  52. WP_MEMORY_LIMIT didn’t work in wp-config, only within default-constants.php
  53. Cookie set without HttpOnly flag
  54. Changing the wp-config.php broke the site
  55. Publishing WordPress from stage to production server
  56. Define option outside wp-config.php (on WordPress.com)
  57. Site lost all formatting when I attempted to migrate to Bluehost [closed]
  58. Moving wp-config.php one level up – 500 error – Nginx [closed]
  59. How can I configure an SMTP Server?
  60. What should index.php contain on Synology NAS to get external access to WordPress to work?
  61. Remote server does not read `WP_HOME` from wp-config.php when local server does
  62. IP addresses to block to stop WP auto-update?
  63. Concerns over wp-config file [closed]
  64. Not showing old migrated content in website
  65. How to rename the wp-config.php file once under version control?
  66. Read wp-config without loading the rest of WordPress – i.e. wp-settings, etc
  67. Proper way to have multiple installs with a single database
  68. How turn on error reporting without reset?
  69. WordPress installed on a Sub-directory
  70. Editing wp-config.php file asks for another installation
  71. $post->id vs $post->ID problem after using WordPress config bootstrap
  72. How to stage a redesigned site on a new webhost while the original site is still live? [closed]
  73. WordPress login redirection not working on Nginx root directory
  74. Plesk login inaccessible after changing site URL
  75. Need help re-connecting local WP-config file to local database
  76. Change of “home” results in timeouts (only on index.php)
  77. wp-config.php randomly will reset to wp-config-sample.php
  78. WP_SITEURL vs WP_HOME link output
  79. What can an attacker do if he has access to my wp-config file?
  80. How to fix wp-login.php gives error 500 after migration?
  81. Change default wordpress FS owner
  82. Define new constants in wp-config
  83. sudden changing of host IP result in crash of the site
  84. Move wp-content outside root
  85. Can you define readability settings in wp-config.php?
  86. Can wp-config move cause dashboard not to load?
  87. Unable to change WordPress language (WordPress 4.2.2)
  88. How to change WordPress theme file path to a remote server?
  89. Why is WordPress not using $_SERVER[‘SERVER_NAME’] for ‘WP_SITEURL’ and ‘WP_HOME’ as default?
  90. WordPress Redirect on Name Change
  91. Is there any reason why using the same wp-config file might not work in MAMP?
  92. Best function/method to access wp-config?
  93. WordPress still requires FTP information
  94. “Cannot modify header information” warning?
  95. Why would changing ports from 80 to 8080 cause wordpress to act unexpectedly?
  96. Change URL when visiting wordpress site
  97. max_input_vars not updating through wp-config
  98. Disabling zlib compression and enforcing gzip
  99. Can WP-CLI modify database connection details in existing wp-config file?
  100. How to specify server path in code?

Leave a Comment