Securing wp-config leads to sensitive information leak on wp-settings

Hm, core WP files are usually die properly if opened directly. It probably slipped developers to include check in this one or something.

The simple ways to fix this (and not really WP-specific) would be to:

  • configure PHP on server to not display errors by default;
  • restrict access to file with .htaccess or other means.

Related Posts:

  1. Is moving wp-config outside the web root really beneficial?
  2. Prevent access or auto-delete readme.html, license.txt, wp-config-sample.php
  3. From a security standpoint, should bloginfo() or get_bloginfo() be escaped?
  4. Where to securely store API keys and passwords in WordPress?
  5. Generate WordPress salt
  6. Garbage in beginning of wp-config.php – was this WP installation compromised?
  7. No option “I would like my site to be private, visible only to users I choose” in Privacy Settings
  8. How does the “authentication unique keys and salts” feature work?
  9. Is there any point setting the keys and salts in wp-config.php?
  10. What’s the point of forbidding access to wp-config.php?
  11. Where to store OAuth 2.0 client id and secret?
  12. Would it be dangerous to send all the wp_options to javascript file?
  13. Config file with no Keys..?
  14. White screen of death on admin pages after moving wp-config up two levels for security
  15. Storing FTP details in wp-config.php
  16. My Site keeps crashing due to the wp-confg file being deleted
  17. Moving wp-config.php outside root folder where we have multiple wordpress websites for enhanced security [duplicate]
  18. How to change location of wp-config.php to folder or 2 folders up?
  19. Adding Security Keys?
  20. Remove hacked code – out of ideas! [closed]
  21. Secret keys in SCM
  22. wp-config.php moved above root results in no plugin updates
  23. wp-config.php file and code injection
  24. Malware/Permission bug removal?
  25. Default installation permissions for wp-config.php
  26. Move data from wp-config to another file
  27. what is a auth_user_file.txt?
  28. How to view PHP on live site
  29. Hide the fact a site is using WordPress?
  30. Verifying that I have fully removed a WordPress hack?
  31. Can I Prevent Enumeration of Usernames?
  32. Best way to eliminate xmlrpc.php?
  33. If a hacker changed the blog_charset to UTF-7 does that make WordPress vulnerable to further attacks?
  34. What is the difference between esc_html filter vs attribute_escape filter?
  35. Which KSES should be used and when?
  36. Is it safe to store a user setting you don’t want the user to ever modify as a user option?
  37. How can I easily verify a core or plugin update has not broken anything?
  38. Disable comment windows for all existing posts (pages/blogposts)
  39. Stop wordpress automatically escaping $_POST data
  40. how can i embed wordpress backend in iframe
  41. Handling nonces for actions from guests to logged-in users
  42. Can I force a password change?
  43. What is pclzip.lib.php file that wordfence think it’s a malicious code
  44. How to disable XML-RPC from Linux command-line in a total way?
  45. How to remove javascript malware in wordpress site [closed]
  46. Securing my WordPress Files and Directories
  47. Single sign-on: wp_authenticate_user vs wp_authenticate
  48. How to allow internal links using wp_kses filtration
  49. How does Cross Site Scripting (XSS) work exactly? [closed]
  50. vs WordPress Security
  51. esc_html__ security : what for in this example?
  52. How can I safely use $_SERVER[‘REQUEST_URI’] to avoid XSS?
  53. Using HTACCESS for Secret Access
  54. Definitive wordpress directory ownership and permissions on linux
  55. wp-config dynamic hostname in WP_HOME and WP_SITEURL
  56. Dangers to allowing Access-Control-Allow-Origin: * for Feeds only?
  57. wordpress website host price and security [closed]
  58. Are there security risks in working directly in the themes folder that builds into a theme folder?
  59. Redirect to another page using contact form 7? [closed]
  60. how much information can we hide when using wordpress cms?
  61. Basic password protection without using users and roles
  62. System setting changed by system user
  63. Does meta-data need to be sanitized?
  64. Will there be security updates for WordPress 4.9.9
  65. WordPress custom admin functions security
  66. Any known bugs that could cause disappearance of the wp_users table?
  67. How to prevent plugins from sniffing/stealing other plugins’ options?
  68. On new server, site got hacked, permissions a bit strange? Please help
  69. Are SVG image files safe to upload? Why WP defines them as a security risk? [duplicate]
  70. Restrict Access without Creating Users
  71. How to obfuscate wp-config.php or code
  72. Security issue with ‘paged’ and ‘posts_per_page’ parameters taken directly from a POST request?
  73. How to prevent to direct access of my custom plugin folder/files
  74. Checking for origin of a xmlrpc request
  75. RESTRICT EDIT of PHP files?
  76. wp-content – permissions for files/folders created by apache
  77. How can I restrict access to specific parts of a page, not just the page itself?
  78. User generated content and security
  79. Are major WordPress updates mandatory for security?
  80. i moved wp-config.php outside of public html and this broke my website
  81. Monitor wordpress all external calls
  82. Securing WordPress running on Azure platform
  83. Verifying that I have fully removed a WordPress hack?
  84. Spam Registrations
  85. WP_SITEURL vs WP_HOME link output
  86. How can I have more confidence that WP plugins aren’t getting and storing user data?
  87. Standard Method for Securing a WordPress Site
  88. Avoid ‘uploads’ 777 permissions: Potential threat or clean solution?
  89. Any way to disable /wp-login.php redirecting to the site folder?
  90. Step by Step Instructions for Making Media/Uploads Private to Only Logged-In Users
  91. Secure a WordPress website in 2019: one plugin or a combinations of them?
  92. What are the different types of firewall protections available for a WordPress website?
  93. Is this a WordPress security bug?
  94. Competitor is somehow accessing MetaData on a hidden WordPress site
  95. WordPress Hacks/Defacing [closed]
  96. Our security auditor is an idiot. How do I give him the information he wants?
  97. I am under DDoS. What can I do?
  98. SSH keypair generation: RSA or DSA?
  99. How do I protect my company from my IT guy? [closed]
  100. Does changing default port number actually increase security? [closed]