security - Storing FTP details in wp-config.php

I'd like to hear about the security concerns for storing FTP details in wp-config.php on a shared server.

It doesn't 'feel' safe to me. I'm using ManageWP to control sites on a shared server and have to input the FTP details manually for each update.

I'd like to hear about the security concerns for storing FTP details in wp-config.php on a shared server.

It doesn't 'feel' safe to me. I'm using ManageWP to control sites on a shared server and have to input the FTP details manually for each update.

• security
• wp-config
• ftp

Share Improve this question asked Mar 7, 2014 at 11:15 Dave McCourtDave McCourt 5811 silver badge1010 bronze badges

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 1

I would consider it somewhat safe since that's where your database connection information is also stored. One could easily ruin your website by deleting your whole database if they had access to that file.

There are a couple of things you can do to increase security:

1. Move the wp-config file one level outside the root. Wordpress knows to look for the file there.

2. Make sure your server is hiding your root/parent index. That's an option you can usually change yourself in cpanel.

It's as safe as other credentials stored in wp-config.php. As long the WordPress hardening guide is followed, as well as general security best practices, you should be fine.

Issues that could affect security:

• Since it's a shared server, if users are not chrooted, they can read any files that have global read ownership on the server, including wp-config.php if incorrectly set.
  • You can mitigate this by removing global read from wp-config.php, which is best practice anyways.
• File disclosure vulnerabilities could allow someone to read the configuration file through a vulnerability in the website.
  • Depending on how your web server and/or .htaccess is configured, creating backups like wp-config.bak or wp-config.php.bak will could expose that config file as it may not be protected like wp-config.php would be. Be careful where you put those. Definitely don't put them in the webroot.
  • Only use plugins you need. Uninstall ones you don't. Follow security best practices, like the hardening guide.
• Path traversal vulnerabilities could allow the config file to be exposed and read through a vulnerability in the website, even if it's a directory up.
  • Follow the same guidelines as above.