.htaccess madness

[a_bertrand]

They in the previous version (before the ajax update of the table editor) all files where open for that module. So now it's more restrictive, even if honestly it doesn't change much.

[Someone]

Glad you stopped the madness.

Checked into it, the only file I will make sure is out of public, is the file with the db settings and license. Should something ever fail, and apache (or a hacker manages to crash it, be it through my site or another site on the server) shows php files as plain text. Should be trivial for anyone to do that if they want to. Do not mean to change subject of thread.

[a_bertrand]

In the config dir there is a .htaccess which denies all, so what would you need more than that?

We could add one in the install directory as well if you think it's useful (as this one give access to the .sql files and shows the table structure, even if it's not really a sensitive info as any owner would receive the same info as well as the free engine would have some of them already).

[Someone]

I was being a joker about stopping the madness.

.htaccess can fail, and php files can be shown in some cases as plain text. It has actually happened to me, not htaccess failing, but php being shown as text. It usually happens only for a split second, but that is all it takes. When it comes to things such as database details.

As you have pointed out, and I 100% agree, that even if files are shown, there is no risk in that itself. Except for the files containing database details.

I would never leave the install folder on a live site, no reason to have it there.

I am not requesting anything being done, just saying that I will keep my database file out of public access.

[a_bertrand]

NEVER had .htaccess failed, either you do something wrong with it, or apache works. I really never saw any issue, nor I'm aware of any security issue about it.

For PHP showing the files, again I never had it. May depends how you configure your webserver, for example CGI or MOD.

[Someone]

There are clearly two sides on that. Some say it may even be less secure to move configurations files out of root if not done correctly, and perhaps even then.

I am with Aaron Adams @ http://wordpress.stackexchange.com/questions/58391/is-moving-wp-config-outside-the-web-root-really-beneficial/74972#74972

read some other stuff as well. Seen many "fire the sys admin if he dont know what he is doing". To that I say sys admin *** is that? I rent a server at 4$ a month (not true)

[a_bertrand]

Well bad configuration will remains bad configuration. As you could as well have a second domain which points to a directory above and doesn't setup PHP and here you are, your config are again visible. BTW for me db access should be made only from the same host or from trusted hosts, and PhpMyAdmin should not be installed on the server ;)

Anyhow security will never be 100%, as the only secure way is to disconnect your server from internet => then you don't have hackers troubles unless you let somebody touch your server physically ;)