Yesterday, news sources and blogs announced that WordPress blogs hosted by Network Solutions were being hacked. The website owners’ credentials were stolen, and then the sites were used to redirect thousands of visitors to websites that distributed malware. Apparently, WordPress’ configuration file, called wp-config.php, stores the user’s database password in plain text. Even still, attackers would not have access to the file if the right permissions are set. The hacked sites had configuration files that were readable by the outside world, including site visitors.
Because the attack exploits user error rather than an actual bug in the WordPress code, it is important to make sure that yours or your customers’ WordPress-based sites are secure. The first thing you can do is to chmod wp-config.php to 640, which means any outside site visitors will be completely denied.
chmod 650 wp-config.php
The second is to deny access using your .htaccess file, since no one who accesses the webserver will actually need access to the file under any circumstances.
# to protect wp-config.php
deny from all
That is essentially all it takes and is actually more than is probably necessary to keep everything secure.
Warning: Some web hosting providers provide automated scripts to install WordPress for you. Do not assume that those installations are automatically secure.
Photo Source: Wikimedia Commons