Skip to content

Beware creating backups of wp-config.php

Published by Samuel Aguilera on Thursday, 06/13/19

Have you ever renamed a PHP file in your WordPress installation appending a .bak or .old or something like that to the end of the filename? If your answer is yes, you may be exposing your site to a severe security risk.

Altering the name of a .php file as described above means your server is not going to process the file as a PHP file anymore, the server will allow a visitor to download or open the file as a plain text file. Therefore someone trying to find vulnerabilities in your site would be able to read the contents of your renamed PHP files.

If the renamed file doesn’t contain any sensitive data, it’s just code, maybe it’s not something to worry about, but if you did that to an important file of your WordPress, as the wp-config.php file, you’re allowing a potential attacker to know very sensitive data. And yeah, that’s something to be really worried about!

In the screenshot below you can find a real example of a bot scanning a WordPress site looking for renamed wp-config.php files:

A bot trying to find a copy of wp-config.php
A bot trying to find a readable copy of wp-config.php

As you can see the bot tried a bunch of typical bad filenames for this really sensitive file of your WP installation.

If any of the above files are available in your site, the attacker would get all the information stored on it, like full database connection details or the salt keys, opening the door to a variety of successful attacks to your site such as directly gaining access to the site, inject of malicious code in your database, etc…

So, how to rename your PHP files if you need a quick way to create a duplicate of the file?

  • Append whatever you want to the start of the filename, never after the .php extension, this way your file would be still recognized as a PHP file by your server and not displayed as a text file. e.g. bak2cF2-original-name.php
  • If you don’t need the duplicate of the file to be available through web access, move it to an internal not public folder. e.g. If your site files are under /username/public_html/ move it to /username/
  • Always use hard to guess names for the renamed files. Just like the above bak2cf2 part of the filename, even if you make a mistake and rename a file after the extension, if you always use a random string and not common names, that provides you a second chance to protect your files against scanners.
Published inWordPress

4 Comments

  1. Fernando Tellado Fernando Tellado

    Muy buen consejo Samuel

    Friday, 06/14/19 Reply
    • Samuel Aguilera Samuel Aguilera

      Gracias Fernando.

      Tuesday, 06/18/19
  2. Pranav Mittal Pranav Mittal

    Very informative, thank you!

    Wednesday, 06/24/20 Reply
  3. bahar bahar

    thanks a lot.
    it was useful.

    Sunday, 03/06/22 Reply

Leave a Reply to bahar Cancel reply

Your email address will not be published. Required fields are marked *