We will explain the contents of wp-config.php, the danger of this file being leaked, and how to protect it.


What is wp-config.php and what happens if wp-config.php is viewed by outside hackers?

wp-config.php is a file that contains settings related to WordPress.
The most important information contained in this file is the database connection settings.

Database connection URL
Database user name
Database password

What happens if database connection information is compromised?

If the database connection information is compromised, it is possible to connect to the database used by WordPress.
However, many servers do not allow external connections to the database.
(You can only connect via a program on that server.)

Therefore, even if the database connection information in wp-config.php is compromised, if database connection software such as PHPMYADMIN is not on the server, it is difficult for malicious activity to take place.

However, if in some way the hacker was able to obtain the database data,
IDs and e-mail addresses of users who use WordPress, including the administrator user, would be exposed.
However, the passwords of these users are encrypted, so even if the database information is compromised, they will not be able to log into WordPress.

To hijack WordPress administrator privileges and conduct malicious or hacking activities, it is necessary to further rewrite the database by rewriting user passwords, creating rogue administrator users, etc.

Protecting wp-config.php

A relatively simple and common way to protect wp-config.php is to write a setting to the HTACCES file in the folder where WordPress is installed, where the server configuration information is written, that makes wp-config.php inaccessible from the outside.

<FilesMatch "wp-config\.php">
Require all denied
</FilesMatch">

It is also important to set the write permission of wp-config.php to the appropriate setting.
Connect to the server with FTP software and set the permissions to 600 or 400.

Please note that if you set the permission to 400, you will not be able to write HTACCESS files, which may cause errors in writing plug-ins and server settings.

It is also important for security that the AUTH_KEY, SECURE_AUTH_KEY, and LOGGED_IN_KEY fields in wp-config.php are always set to long random strings.

Reference
What is the unique authentication key in wordpress wp-config.php used for and what is it used for?

You can also protect wp-config.php with easy security settings.

Free] WordPress:Malware Scan & Security Plugin [Malware and Virus Detection and Removal].

Related Posts:

  1. PHP programming to prevent SQL injection in WordPress
    Here is a small PHP programming trick to prevent SQL injection in WordPress....
  2. What is a WordPress injection attack?
    There are various methods by which WordPress can be hacked, the most common of which is called an injection attack. This section describes these injection attacks....
  3. What is the most common vulnerability cross-site scripting in WordPress?
    The most common vulnerability in WordPress is called Cross Site Scripting (XSS). We would like to explain about this vulnerability....
  4. What is a web shell, a type of WordPress malware?
    There have been an increasing number of cases of web shells, a type of WordPress malware, becoming more sophisticated in recent years. We will explain about web shells....
  5. Change WordPress database prefix to prevent SQL injection
    You can reduce the chances of a successful SQL injection by changing the prefix of your WordPress database. We will explain how to do this....
  6. IDs, email addresses of unauthorized users of WordPress
    One of the methods of WordPress hacking is for hackers to manipulate the database and add unauthorized users without permission. We recommend that you regularly check your WordPress account to ensure that no unauthorized users have been added to your account....