What's the point of forbidding access to wp-config.php?

Probably a dumb question...

the hardening doc suggests setting up your web server so that it prevents access to wp-config.php. If you do this, and a client tries to access the file, Apache returns 403 Forbidden, as expected.

If you don't do this, Apache returns 200 Ok with an empty file. This is also as expected, because none of the php code in this file produces any output.

So what's the point? Surely this would only be an issue if the attacker had already broken in, and turned off php support?

Topic wp-config security Wordpress

Category Web

1
answered at

So what's the point? Surely this would only be an issue if the attacker had already broken in, and turned off php support?

If an attacker has already done this then this particular hardening is pointless. An attacker is unlikely to turn off PHP execution though as that would require more effort and would actually be harder for no gain. It would also make it very obvious you'd been hacked.

Generally, wp-config.php contains secrets so this adds an additional layer of security. There is no specific thing it prevents, much like how adding an third wall around a castle doesn't convey any protection the second wall doesn't, it just adds extra obstacles.

Try not to think of things as "secure" or "not secure", that's not how website security works. In the same way that your site is neither "hard" or "soft", you can make it harder, or more secure though.

What's more likely is that while poking around in the server, you make a silly typo or mistake that lists all PHP files as plaintext, so an attack goes to wp-config.php to read your database details but gets a forbidden HTTP code back instead. But the chances of this are incredibly slim.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.