A number of WordPress blogs hosted at Network Solutions were hacked according to ZDNet. A malicious hacker was able to create a script that scanned for WordPress config files which contain MySQL database credentials in plain text.
WordPress config files should only be read by Apache only with permissions of 750. Most users have their permissions set to 755. WordPress users should set their permissions to 750 to avoid from being hacked.
Another way of protecting WordPress config files is to use .htaccess. Add the following code to your .htaccess file.
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files> |
Good post more and more companies are looking to wordpress as there CMS system of choice. While I think wordpress is tops!! I would advise people to just take time to ensure they have done everything they can to secure there wordpress website.
I think standard permission for file is 644. 755 usually used as folder permission.
I’m just curious if 640 would work. Mine is currently set to 660.
640 is actually recommended as documented in the WordPress forum.
If you install mod_fcgid you can set up chmod 600 which is the most secure option. Then web server is running under the specific user. This is the most secure way for shared hosting services.