Exposing or making it easy for someone to get your database username and password could be more than detrimental, it could be tragic!
Not only could your website be completely highjacked, it could also be deleted. All that hard work–gone!
I never thought I could be someone like this. Only n00bs do this–right?
Wait.
What?
How It Happens
Before you think you’re safe, think again.
“Nearly 1% of websites built with a content management system (like WordPress or Joomla) are unknowingly exposing their database password to anyone who knows where to look.”
Yikes!
Don’t be that guy? 🙁
I was that guy!
Here’s how it happens:
By using a text editor to modify your CMS config files–like wp-config.php–your text editor creates a backup copy of the file you’re editing. Some name it “wp-config.php~”, “#wp-config.php#” or some other variance. If your app hangs-up, you lose connection, or your app simply doesn’t clean-up after itself, that temporary backup file is left on the server.
If someone is snooping around for one of these files and finds it, you’ve handed them the most precious details of your CMS driven website.
How to Avoid It
After learning about this, you can forget about editing files sitting directly on my server! Who wants to risk it? I don’t!
Apps like Coda are safe to edit, but like I said, why risk it? Moreover, you should always make a backup of config files that you’re editing. So do this:
- Download your config file to your local system.
- Create a copy of it for backup purposes–I now add a date to the file name so I can keep track of my changes.
- Make your edits.
- Upload your edited file back to the server.
- Test your website.
As often as most of us edit config files, these extra steps are hardly a bother considering the sensitivity of the data we’re trying to protect.
Happy coding–and be safe!
[via Feross | HT: WP Daily | Image via Chuckumentary via Compfight cc]
Raoul Snyman says
I sincerely hope you’re NOT using FTP to download and upload your files, cause that’s also putting your details out there for anyone to read.
Additionally, you should put your config file OUTSIDE of your web server root so that the CMS on the server can read it, but your application can. WordPress doesn’t allow this, but you could probably hack WordPress to do it.
Lastly, you can also instruct your web server to disallow certain files. It’s pidsticks easy on Apache, and most other web servers have similar functionality.
And yes… don’t edit your config files on your server, that’s just asking for trouble.
Eric Dye says
SFTP always.