wp-config security?

  • Resolved forboding-angel

    (@forboding-angel)


    10 years, 9 months ago

    I really liked this right up until the part where I saw that it had to have the entire wordpress install in git, whereas for the sake of security (and ease of use) I would vastly prefer only the theme folder be in git.

    So, how does one keep wordpress secure if the github repo is a public repo?

    https://www.ads-software.com/plugins/revisr/

Viewing 12 replies - 1 through 12 (of 12 total)
  • Plugin Author Expanded Fronts

    (@expandedfronts)

    Hello,

    You can configure files to be ignored from the repository (and Github) by adding the files or directories to the .gitignore settings on the plugin settings page.

    For wp-config, simply add this line (paths are relative from the root repository folder/WordPress installation) :
    wp-config.php

    And save the settings.

    Additionally, the wp-config file can also be saved in the directory directly above the root of the WordPress installation, which would prevent it from being part of the repository at all.

    Plugin Author Expanded Fronts

    (@expandedfronts)

    Also, if you wanted to only track the wp-content/themes/ directory, you could add something like the following to the gitignore settings:

    /*
    /*/
    !/wp-content/themes/

    Thread Starter forboding-angel

    (@forboding-angel)

    Ahh, thanks for that. I was wondering if I could just do a gitignore like that and get away with it. Just seemed odd that the plugin needed the repo to contain the entire install. Apparently I read the faq/install instructions wrong as it sounded like that was a requirement.

    @Forboding Angel, it might be a good idea to keep the whole installation under Git. For example, if your site gets hacked and your core files are modified (added that usual encoded malicious code or new files) you can view the diffs and clean all infected files. Or just roll back to clean commit. That’s what I thought the first time I saw this plugin.

    Thread Starter forboding-angel

    (@forboding-angel)

    @igor, you should never be making changes to core though, so as long as you have your theme in git and your database backed up, you should be golden to just dump clean core files over the hack.

    All this plugin does is pull, from what I understand, so you would not get a diff of the site files vs what is in git, as I understand it.

    It’s more for viewing the diffs between commits to git.

    Plugin Author Expanded Fronts

    (@expandedfronts)

    @Forboding Angel-

    You bring up some good points, and I definitely encourage you to use the plugin however you see fit to make sure it works best with your workflow.

    With that being said, Ihor brings up a good point, and that is that Revisr will show you at a glance if those core files have been modified. While you can simply upload the latest core files over your entire installation, you won’t necessarily know when you need to do it since those files aren’t being tracked.

    I’ve seen plenty of WordPress sites (not as much recently, but still some) where the hack may be hard to find (such as a hacked 404 page with a small bit of encoded Javascript). Since you are tracking the 404 page as it is in your themes directory, it is easy enough to remove the result of the hack, but often there will be other malicious files uploaded to other directories on the site, which may or may not be in the wp-content folder.

    @Forboding Angel yep, you’re right.
    Of course I never alter core files. And btw even my own ‘starting kit’ is a git repo with WP core as Git submodule.

    Thread Starter forboding-angel

    (@forboding-angel)

    @expandedfronts

    With that being said, Ihor brings up a good point, and that is that Revisr will show you at a glance if those core files have been modified.

    No, you wouldn’t, not unless the plugin does diffing vs it’s local copy. From what I read I’m pretty sure it shows diffs that are displayed in github, not diffs that are local working copy vs master. Amirong?

    Plugin Author Expanded Fronts

    (@expandedfronts)

    Yes, Revisr shows diffs for the local repository against whatever branch is checked out.

    So if you pull master and make a bunch of changes to the local repository, you’re viewing the diffs for those local changes. You could also create a local branch independent of Bitbucket or Github and commit all of your changes to that branch, and go back and view previous commits and diffs without ever pushing to a remote.

    Thread Starter forboding-angel

    (@forboding-angel)

    Nice! That’s very cool. Thanks for the info.

    Thread Starter forboding-angel

    (@forboding-angel)

    For anyone else reading this:

    /*
    /*/
    !/wp-content/themes/

    Will not work. You can not do a multilevel ignore in gitignore. SO then you’re stuck with trying to do silly stuff like

    *
    */
    !wp-content/
    wp-content/*
    !wp-content/themes/
    wp-content/themes/*
    !wp-content/themes/my-theme-name

    Which does not appear to work either.

    Thread Starter forboding-angel

    (@forboding-angel)

    Ok, after a bit of tinkering, i finally got this to work:

    # gitignore all but my theme folder
    !wordpress/
    wordpress/*
    !wordpress/wp-content/
    wordpress/wp-content/*
    !wordpress/wp-content/themes/
    wordpress/wp-content/themes/*
    !wordpress/wp-content/themes/my-theme/
    wordpress/wp-content/themes/my-theme/.DS_Store
    wordpress/wp-content/themes/my-theme/*/.DS_Store
    wordpress/wp-content/themes/my-theme/*/*/.DS_Store
    wordpress/wp-content/themes/my-theme/.sass-cache
    wordpress/wp-content/themes/my-theme/node_modules

Viewing 12 replies - 1 through 12 (of 12 total)
  • The topic ‘wp-config security?’ is closed to new replies.