Bad wp-config.php permission suggestion

  • iThemes security erroneously suggests file permissions 444 for wp-config.php.

    This means that iThemes security suggests that I make my secret database credentials public, which is a bad idea.

    Apparently, iThemes security assumes that PHP runs as a module that needs full, unrestricted public access to all files for them to be usable.

    This is not the case in security conscious setups.

    https://www.ads-software.com/plugins/better-wp-security/

Viewing 2 replies - 1 through 2 (of 2 total)

  • @sitronolje

    Strictly speaking you are right. It should be 400 or 440.

    But there may be hosting envs out there that might have problems with permissions set as low as 400 or 440. I think the idea behind 444 is to set the permissions as low as possible but still allow as much hosting envs as possible to function.

    Anyway the WordPress File Permission feature in its current form is crap. Setting the wp-config.php file permissions to 440 or 400 (which is better protection than 444) still results in a WARNING.

    Also what is an absolute path doing in a column named Relative Path ??

    dwinden

    crdunst

    (@crdunst)

    Sorry to drag up an old topic, but I just searched the forums for this exact issue – I couldn’t believe ithemes is recommending 444 for wp-config.

    Server permissions aren’t my forte, but 444 would give public read access to the file wouldn’t it?

    Love the plugin by the way, just checking if this is an oversight from the plugin devs or my misunderstanding of permissions…

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Bad wp-config.php permission suggestion’ is closed to new replies.