Wordpress - Password in wp-config. Dangerous?

The "Hardening WordPress" page of the Codex contains a section on "Securing wp-config.php". It includes changing the permissions to 440 or 400. You can also move the wp-config file one directory up from the root if your server configuration allows for that.

Of course there is some danger to having a file with the password like this if someone gets access to your server, but, honestly, at that point they already are in your server.

Finally, you don't have much of a choice. I've never seen an alternate means of configuring WordPress. You can lock it down as much as you can, but this is how WordPress is built, and if it were a serious security threat, they wouldn't do it that way.

To make a case for keeping your config file one level up from the web root (as mrwweb suggested): a few months ago, an automatic update on a production server of ours killed php but left apache running. So everyone coming to the homepage was being offered index.php as a download. In theory, anybody who knew it was a WordPress site could have requested wp-config.php, and gotten it (had it been in the web root). Of course, they'd only be able to use those DB credentials if we allowed remote MySQL connections--but still, not cool. I realize this is a fringe case, but it's so easy to keep your config out of sight, why not do it?

Unless someone has access via FTP, you don't need to worry about this. PHP is rendered on the server before it hit's the users browser.


Wp Config