I don’t know a lot of WordPress yet, and I’m just wondering:
Before installation you have to fill in the correct data in wp-config-sample.php but this also includes the database password. Isn’t that dangerous? I mean, can some one explain how this is protected from just reading the file and thus getting the password of your DB?
5 s
The “Hardening WordPress” page of the Codex contains a section on “Securing wp-config.php”. It includes changing the permissions to 440 or 400. You can also move the wp-config file one directory up from the root if your server configuration allows for that.
Of course there is some danger to having a file with the password like this if someone gets access to your server, but, honestly, at that point they already are in your server.
Finally, you don’t have much of a choice. I’ve never seen an alternate means of configuring WordPress. You can lock it down as much as you can, but this is how WordPress is built, and if it were a serious security threat, they wouldn’t do it that way.
