WordPress database credentials disclosure
Description
WordPress configuration files containing database credentials (typically wp-config.php) are accessible via web requests. These files contain sensitive information including database hostnames, usernames, passwords, and table prefixes that should never be publicly accessible. Exposure of these credentials can occur due to misconfigured web servers, incorrect file permissions, or backup files left in web-accessible directories.
Remediation
Take immediate action to secure WordPress configuration files:
1. Remove exposed files: Delete any backup copies, temporary files, or improperly placed wp-config.php files from web-accessible directories (e.g., wp-config.php.bak, wp-config.php~, wp-config.txt).
2. Verify file permissions: Ensure wp-config.php has restrictive permissions (440 or 400) and is owned by the web server user:
chmod 440 wp-config.php chown www-data:www-data wp-config.php
3. Configure web server protection: Add rules to prevent direct access to configuration files. For Apache, ensure your .htaccess includes:
<Files wp-config.php> order allow,deny deny from all </Files>
For Nginx, add to your server block:
location ~* wp-config.php {
deny all;
}4. Rotate credentials: If credentials were exposed, immediately change the database password and update wp-config.php with the new credentials.
5. Move wp-config.php: Consider moving wp-config.php one directory above the WordPress root directory, which WordPress supports by default and provides additional protection.