Why should you protect your wp-config.php file?
Hello everyone, today I’m going to talk about Wordpress and how a bad configuration gave me access to database credentials compromising the entire company.
Have you ever heard of Wordpress?
WordPress (WP, WordPress.org) is a free and open-source content management system (CMS) written in PHP[4] and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes. WordPress was originally created as a blog-publishing system but has evolved to support other web content types including more traditional mailing lists and forums, media galleries, membership sites.
Enumerating Subdomains
In this pentest we will call the main domain target.com.br
When using the subfinder, a tool for subdomains enumeration, I came across the subdomain wp.target.com.br.
After getting the subdomain I used the ffuf, a tool that performs a fuzzing in search of files and directories, and located the wp-config.php.save file.
After all, what is wp-config.php?
wp-config.php is a WordPress configuration file.
It has sensitive information, such as your database details, variables and constants that control characteristics on your server, among others.
This information allows WordPress to communicate with the database to store and retrieve data (e.g. posts, users, your site settings, etc).
Database Name:
This is the name of the Database you want WordPress to use.
Database User:
The username used for WordPress to access the database. You can create one from your host’s cPanel or equivalent.
Database Password:
Password used by the user to access the database.
Database Host:
The hostname that hosts the MySQL server.
By accessing the database, we were able to gain access to users’ sensitive data such as email, password hash and also name, address, telephone number and other sensitive data.
Access to all instances used by the company.
wp-config.php lock
Now we know why wp-config.php is one of the most important WordPress files. First of all, we can move wp-config one level above the WordPress root folder (only one level). However, this technique is a bit controversial, so I would suggest adopting other solutions to protect the file. If your site is running on Apache Web Server, you can add the following directives to the .htaccess file:
<files wp-config.php>
order allow,deny
deny from all
</files>If the site is running on Nginx, you can add the following directive to the configuration file:
location ~* wp-config.php { deny all; }Conclusion
You learned how the wp-config.php file is essential for a WordPress site. It contains sensitive information that must always be secure. =)
