Apache2 serves all files in the wordpress directories tree. Did I misconfigure it?

0

First I noticed that if I go to http://example.org/wp-config.php, it gives me an empty page instead of 404 error. I tested it with another file - wp-config-example.php, and it gave me a page with the following text: "Error establishing a database connection". So it definitely just executed that php script. If I go to http://example.org/wp-content/themes/TheFox/screenshot.png, apache2 serves me that file.

This seems very dangerous to me. I didnt know about it for some time and kept a .sql backup of the whole wordpress database in the wordpress directory - anyone could've downloaded it.

I've just configured apache2 with <Directory /path/to/wordpress/dir/, and it worked, so I thought everything's done right, but now I am in doubt.

CrabMan

Posted 2016-02-19T15:16:58.830

Reputation: 168

Unless they knew the file name or could guess it existed and the name you chose for the file, they shouldn't have been able to download it. I.e., they shouldn't have been able to see an index of every file in the directory showing every file name within the directory. – moonpoint – 2016-02-19T16:10:03.023

Answers

0

You are correct that anyone could have downloaded your backup file but the behavior you describe is normal. Apache has to be able to "see" and serve files in WP in order for WP to work. The way you have it is correct for a WP installation.

Dave

Posted 2016-02-19T15:16:58.830

Reputation: 230

Asked: 2016-02-19T15:16:58.830

Viewed: 29 times

Active: 2016-02-19T15:32:28.850