Jump to content

.htaccess madness


Recommended Posts

Glad you stopped the madness.

Checked into it, the only file I will make sure is out of public, is the file with the db settings and license. Should something ever fail, and apache (or a hacker manages to crash it, be it through my site or another site on the server) shows php files as plain text. Should be trivial for anyone to do that if they want to. Do not mean to change subject of thread.

Link to comment
Share on other sites

In the config dir there is a .htaccess which denies all, so what would you need more than that?

We could add one in the install directory as well if you think it's useful (as this one give access to the .sql files and shows the table structure, even if it's not really a sensitive info as any owner would receive the same info as well as the free engine would have some of them already).

Link to comment
Share on other sites

I was being a joker about stopping the madness.

.htaccess can fail, and php files can be shown in some cases as plain text. It has actually happened to me, not htaccess failing, but php being shown as text. It usually happens only for a split second, but that is all it takes. When it comes to things such as database details.

As you have pointed out, and I 100% agree, that even if files are shown, there is no risk in that itself. Except for the files containing database details.

I would never leave the install folder on a live site, no reason to have it there.

I am not requesting anything being done, just saying that I will keep my database file out of public access.

Link to comment
Share on other sites

There are clearly two sides on that. Some say it may even be less secure to move configurations files out of root if not done correctly, and perhaps even then.

I am with Aaron Adams @ http://wordpress.stackexchange.com/questions/58391/is-moving-wp-config-outside-the-web-root-really-beneficial/74972#74972

read some other stuff as well. Seen many "fire the sys admin if he dont know what he is doing". To that I say sys admin *** is that? I rent a server at 4$ a month (not true)

Link to comment
Share on other sites

Well bad configuration will remains bad configuration. As you could as well have a second domain which points to a directory above and doesn't setup PHP and here you are, your config are again visible. BTW for me db access should be made only from the same host or from trusted hosts, and PhpMyAdmin should not be installed on the server ;)

Anyhow security will never be 100%, as the only secure way is to disconnect your server from internet => then you don't have hackers troubles unless you let somebody touch your server physically ;)

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...