6000+ sites are still leaking sensitive WordPress config files
Well, this isn’t anything new, not at all!
Google Hacking Database has been around for a long time.
We started to dig into WordPress config files and realized that it’s very common to create a backup of your config file, which is not a bad idea.
This config file contains the base configuration of a wordpress installation like Database Connection (user name, password, ost) and other sensitive information.
Example
What’s really bad is that some admins seems to store the file in the web root and changed the extension to txt will will be read in the browser.
If we change the file extension to .txt it will be managed by the web server/php interpreter as any other txt file and present the content to the user.
So if we look at one part that exists in the WordPress config file.
“define(‘AUTH_KEY’, ‘” and we also have some other phrases like “wp-config.php”.
If you want an idea of how bad it is we can let google sort that out for us using some search operands available.
Since google knows the content of all files it has indexed which are most of them we just search for the content using “intext:” and filter on txt files using “filetype:”
intext:define(‘AUTH_KEY’, ‘ wp-config.php filetype:txt
The result shows about 6000+ results (and probably some false positives in the results).
This file is not something that would be read by the user and you should not be able to download the php file either ;).
What you need to do
- Don’t place sensitive files in the web root that doens’t have to be there
- Configure permissions
- Definitely don’t place backup files in the webroot, in case you don’t have to temporarily to reinstall a web application but otherwise, keep them away from the internet