admin管理员组文章数量:1130349
Since order allow,deny is deprecated in 2.4 I wanted to rewrite the rules in my .htaccess file to use the new rules. Previously I was using:
<files wp-config.php>
order allow,deny
deny from all
</files>
Which I've rewritten to:
<FilesMatch "wp-config.php">
Require all denied
</FilesMatch>
How do I confirm that my method is actually working? I'm not certain how hackers might gain access to this file so I don't know how to test it.
Since order allow,deny is deprecated in 2.4 I wanted to rewrite the rules in my .htaccess file to use the new rules. Previously I was using:
<files wp-config.php>
order allow,deny
deny from all
</files>
Which I've rewritten to:
<FilesMatch "wp-config.php">
Require all denied
</FilesMatch>
How do I confirm that my method is actually working? I'm not certain how hackers might gain access to this file so I don't know how to test it.
Share Improve this question edited Nov 4, 2018 at 12:56 Krzysiek Dróżdż 25.6k9 gold badges53 silver badges74 bronze badges asked Nov 2, 2018 at 14:43 jarrodwhitleyjarrodwhitley 1231 silver badge10 bronze badges 3 |2 Answers
Reset to default 1The old method works for me, and any requests result in a 403 status response instead of execution of the php script. I've not checked your 2nd method, but if it works it will similarly respond with 403 denied/forbidden.
To test you simply have to insert the URL of your "wp-config.php" in the address bar of your browser e.g. http://example/wp-config.php . Depending on browser and/or sites custom 403 settings your browser will display "forbidden", "access denied" etc.
Note you can also move wp-config.php one directory up from where Wordpress installed it - and if this is then above Webroot/public_html it will no longer be "directly" accessible by hackers. More on this here Is moving wp-config outside the web root really beneficial?
I discovered that by looking at my server's error logs I could see where the server denied permission to me when I attempted to visit http://example/wp-config.php
It looked like this:
[Fri Nov 02 17:52:22.222222 2018] [authz_core:error] [pid 222] [client 22.222.222.222:22222] AH01630: client denied by server configuration: /nas/wp/www/sites/example/wp-config.php
Since order allow,deny is deprecated in 2.4 I wanted to rewrite the rules in my .htaccess file to use the new rules. Previously I was using:
<files wp-config.php>
order allow,deny
deny from all
</files>
Which I've rewritten to:
<FilesMatch "wp-config.php">
Require all denied
</FilesMatch>
How do I confirm that my method is actually working? I'm not certain how hackers might gain access to this file so I don't know how to test it.
Since order allow,deny is deprecated in 2.4 I wanted to rewrite the rules in my .htaccess file to use the new rules. Previously I was using:
<files wp-config.php>
order allow,deny
deny from all
</files>
Which I've rewritten to:
<FilesMatch "wp-config.php">
Require all denied
</FilesMatch>
How do I confirm that my method is actually working? I'm not certain how hackers might gain access to this file so I don't know how to test it.
Share Improve this question edited Nov 4, 2018 at 12:56 Krzysiek Dróżdż 25.6k9 gold badges53 silver badges74 bronze badges asked Nov 2, 2018 at 14:43 jarrodwhitleyjarrodwhitley 1231 silver badge10 bronze badges 3- 1 What is this supposed to help against? If you can answer that, you can test it – kero Commented Nov 2, 2018 at 14:54
-
To be honest, I'm not certain. My boss told me that it needed to be protected. The method using
Allow and Orderwas written by someone else before I started working here. All I know is that hackers are able to (somehow) gain access to an unprotected file. I've tried researching how they do it, but I'm coming up with nothing. – jarrodwhitley Commented Nov 2, 2018 at 14:59 - 1 This is not really WordPress specific, you might have better luck at ServerFault or Security. As far as I understand this is done to, in case of misconfiguration of the server, keep the wp-config.php private. My personal opinion: if the server is misconfigured, why should .htaccess still work. So we don't do this, but have the file have CHMOD 0600 (-rw-------). – kero Commented Nov 2, 2018 at 15:06
2 Answers
Reset to default 1The old method works for me, and any requests result in a 403 status response instead of execution of the php script. I've not checked your 2nd method, but if it works it will similarly respond with 403 denied/forbidden.
To test you simply have to insert the URL of your "wp-config.php" in the address bar of your browser e.g. http://example/wp-config.php . Depending on browser and/or sites custom 403 settings your browser will display "forbidden", "access denied" etc.
Note you can also move wp-config.php one directory up from where Wordpress installed it - and if this is then above Webroot/public_html it will no longer be "directly" accessible by hackers. More on this here Is moving wp-config outside the web root really beneficial?
I discovered that by looking at my server's error logs I could see where the server denied permission to me when I attempted to visit http://example/wp-config.php
It looked like this:
[Fri Nov 02 17:52:22.222222 2018] [authz_core:error] [pid 222] [client 22.222.222.222:22222] AH01630: client denied by server configuration: /nas/wp/www/sites/example/wp-config.php
本文标签: htaccessHow do I test to ensure that my wpconfig file is protected
版权声明:本文标题:htaccess - How do I test to ensure that my wp-config file is protected? 内容由热心网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:https://it.en369.cn/questions/1749206967a2332727.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
Allow and Orderwas written by someone else before I started working here. All I know is that hackers are able to (somehow) gain access to an unprotected file. I've tried researching how they do it, but I'm coming up with nothing. – jarrodwhitley Commented Nov 2, 2018 at 14:59