More Secure Config?

Random stuff about serendipity. Discussion, Questions, Paraphernalia.
Post Reply
User avatar
Posts: 14
Joined: Wed Jul 28, 2010 6:14 pm

More Secure Config?

Post by SlidingHorn » Wed Mar 14, 2018 11:57 pm

I have a site that contains a MediaWiki, and one of the things they suggest when it comes to their LocalSettings.php (similar to s9y's to make it a little more secure is to create a separate PHP file outside of the webroot with the database connection settings and call to it with a require_once.

Is that something that might be a good idea for s9y? Would it be possible to do it as the code currently stands?

What are your thoughts?

(Here's a link to their suggestion: ... _passwords )

EDIT: I do see that in the .htaccess, there is a denial to all requests for .inc.php. That protects the file, but I just wonder if the above practice would be just as effective, more effective, or less. I guess this is just an invitation to a broader discussion of "best practice" or preference...

User avatar
Posts: 2295
Joined: Tue Sep 09, 2008 10:04 pm

Re: More Secure Config?

Post by onli » Wed Mar 21, 2018 10:46 am

I think it would be more effective, security-wise. Instead of relying on .htaccess you'd get the access restriction right out of the box.

The relevant code start in ... c.php#L263. There we'd have to include the config_local in the new location.

The main problem to apply this generally is that it is something we can't do for existing installations. At least I can't think of an upgrade scheme right now that would allow moving the config out of the webroot, and to do so realiable on all possible server configs.

But I see no harm in applying this on your own installation. Just change the include path for that file to a directory outside the webroot that the webserver can read.

Post Reply