htaccess - How do I test to ensure that my wp-config file is protected?

Since order allow,deny is deprecated in 2.4 I wanted to rewrite the rules in my .htaccess file to use the new rules. Previously I was using:

<files wp-config.php>
    order allow,deny
    deny from all
</files>

Which I've rewritten to:

<FilesMatch "wp-config.php">
    Require all denied
</FilesMatch>

How do I confirm that my method is actually working? I'm not certain how hackers might gain access to this file so I don't know how to test it.

Since order allow,deny is deprecated in 2.4 I wanted to rewrite the rules in my .htaccess file to use the new rules. Previously I was using:

<files wp-config.php>
    order allow,deny
    deny from all
</files>

Which I've rewritten to:

<FilesMatch "wp-config.php">
    Require all denied
</FilesMatch>

How do I confirm that my method is actually working? I'm not certain how hackers might gain access to this file so I don't know how to test it.

• htaccess
• security
• apache

Share Improve this question edited Nov 4, 2018 at 12:56 Krzysiek Dróżdż 25.6k99 gold badges5353 silver badges7474 bronze badges asked Nov 2, 2018 at 14:43 jarrodwhitleyjarrodwhitley 12311 silver badge1010 bronze badges 3

• 1 What is this supposed to help against? If you can answer that, you can test it – kero Commented Nov 2, 2018 at 14:54
• To be honest, I'm not certain. My boss told me that it needed to be protected. The method using Allow and Order was written by someone else before I started working here. All I know is that hackers are able to (somehow) gain access to an unprotected file. I've tried researching how they do it, but I'm coming up with nothing. – jarrodwhitley Commented Nov 2, 2018 at 14:59
• 1 This is not really WordPress specific, you might have better luck at ServerFault or Security. As far as I understand this is done to, in case of misconfiguration of the server, keep the wp-config.php private. My personal opinion: if the server is misconfigured, why should .htaccess still work. So we don't do this, but have the file have CHMOD 0600 (-rw-------). – kero Commented Nov 2, 2018 at 15:06

Add a comment  | 

2 Answers 2

Sorted by: Reset to default 1

The old method works for me, and any requests result in a 403 status response instead of execution of the php script. I've not checked your 2nd method, but if it works it will similarly respond with 403 denied/forbidden.

To test you simply have to insert the URL of your "wp-config.php" in the address bar of your browser e.g. http://example/wp-config.php . Depending on browser and/or sites custom 403 settings your browser will display "forbidden", "access denied" etc.

Note you can also move wp-config.php one directory up from where Wordpress installed it - and if this is then above Webroot/public_html it will no longer be "directly" accessible by hackers. More on this here Is moving wp-config outside the web root really beneficial?

I discovered that by looking at my server's error logs I could see where the server denied permission to me when I attempted to visit http://example/wp-config.php

It looked like this:

[Fri Nov 02 17:52:22.222222 2018] [authz_core:error] [pid 222] [client 22.222.222.222:22222] AH01630: client denied by server configuration: /nas/wp/www/sites/example/wp-config.php