admin管理员组

文章数量:1415139

I'd like to hear about the security concerns for storing FTP details in wp-config.php on a shared server.

It doesn't 'feel' safe to me. I'm using ManageWP to control sites on a shared server and have to input the FTP details manually for each update.

I'd like to hear about the security concerns for storing FTP details in wp-config.php on a shared server.

It doesn't 'feel' safe to me. I'm using ManageWP to control sites on a shared server and have to input the FTP details manually for each update.

  • security
  • wp-config
  • ftp
Share Improve this question asked Mar 7, 2014 at 11:15 Dave McCourtDave McCourt 581 silver badge10 bronze badges
Add a comment  | 

2 Answers 2

Reset to default 1

I would consider it somewhat safe since that's where your database connection information is also stored. One could easily ruin your website by deleting your whole database if they had access to that file.

There are a couple of things you can do to increase security:

  1. Move the wp-config file one level outside the root. Wordpress knows to look for the file there.

  2. Make sure your server is hiding your root/parent index. That's an option you can usually change yourself in cpanel.

It's as safe as other credentials stored in wp-config.php. As long the WordPress hardening guide is followed, as well as general security best practices, you should be fine.

Issues that could affect security:

  • Since it's a shared server, if users are not chrooted, they can read any files that have global read ownership on the server, including wp-config.php if incorrectly set.
    • You can mitigate this by removing global read from wp-config.php, which is best practice anyways.
  • File disclosure vulnerabilities could allow someone to read the configuration file through a vulnerability in the website.
    • Depending on how your web server and/or .htaccess is configured, creating backups like wp-config.bak or wp-config.php.bak will could expose that config file as it may not be protected like wp-config.php would be. Be careful where you put those. Definitely don't put them in the webroot.
    • Only use plugins you need. Uninstall ones you don't. Follow security best practices, like the hardening guide.
  • Path traversal vulnerabilities could allow the config file to be exposed and read through a vulnerability in the website, even if it's a directory up.
    • Follow the same guidelines as above.

本文标签: securityStoring FTP details in wpconfigphp

版权声明:本文标题:security - Storing FTP details in wp-config.php 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1745211082a2647889.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。