[Security] wp-config.php visibility on Azure Cloud

Dec 2, 2011 at 8:10 AM

Hey Ben,

 

I think this is a question for you. On Unix after a successful WordPress installation the Permissions for wp-config.php are set to 0600 from 0604.

The 4 at the end means that the world can read the file and zero means the world can't even see this file for security reasons.

Since this file has plain text passwords, its very important to secure it so that the outside can't read it.

How does the scaffolding solve this issue on the cloud?  Are the permissions set in IIS via a post script to make sure this file is non-accessible?

 

Many Thanks,

Houman

Editor
Dec 2, 2011 at 5:56 PM

Houman,

Have you tried going directly to that file in the URL bar of your browser? You should get a blank page. This is handled by PHP and IIS automatically for you because the file runs through the PHP interpreter. Anything inside the <?php ?> will not be shown to the world unless you echo it or disable the PHP interpreter.

Additionally (and this can be controversial), the filesystem permissions are not important to protect the file from outside writes. This is because IIS does not allow arbitrary file writes externally. The specific file permissions come into play when others have access inside your server (Remote Desktop, etc), though if a hacker gets in your file permissions will probably be of secondary importance ;)

Cheers,
Ben

Dec 7, 2011 at 11:43 PM

Many Thanks for the explanation.  It makes sense.

The only last great protection would be to obfuscate the database credentials inside wp-config.php file.  Is there no way to encrypt it so that it wont be plain readable by the user when the file is physically opened?

In .NET you can encrypt the database credentials in web.config, which comes very handy if you don't want your developers to know the production DB credentials etc.

 

Cheers,

Houman

 

Editor
Dec 8, 2011 at 1:42 AM

Houman,

If you use the parts from the WordPress scaffold your credentials will be stored in the service configuration file. That removes the password from your file completely and puts it into the protection of Windows Azure.

Ben

Dec 8, 2011 at 7:45 AM
Edited Dec 8, 2011 at 7:59 AM

Hi Ben,

 

I just have RDP into my VM and can't confirm it.

Please see the screenshot I have taken from wp-config.php under E:\approot

 

Credentials are all over the place. So a developer with access to RDP would read the credentials of the production database.
Maybe I have done something wrong?

 

Thanks for your advice mate,

Houman 

Editor
Dec 8, 2011 at 5:00 PM

Houman,

There is nothing "wrong" with your setup. That is the normal way WordPress is set to run. If you scroll further down you will see the else section of that conditional. If you only use the code from that else section when running in Windows Azure the devs will not see your credentials in the wp-config.php file, only references to the service configuration file, which they will not have access to change unless they have access to the Portal.

Why so much concern over your developers seeing the credentials? Seems that if they are not trustworthy with that information they should not be on the project.

Ben

Dec 8, 2011 at 8:01 PM

Hey Ben,

 

Well, in .NET world this is actually a common concept not having passwords in plain anywhere hardcoded, but rather encrypted.

http://blogs.msdn.com/b/sqlazure/archive/2010/09/07/10058942.aspx

http://social.technet.microsoft.com/wiki/contents/articles/sql-azure-connection-security.aspx#create_aspnet

It is not so much that I didn't trust my developers. It is about having the risk of compromising customers data to as low as possible.

It is generally not a great idea having production passwords lying around like that. In no single financial environment is this allowed. Passwords can be copy and pasted and send mistakenly by email. Without noticing the data could be compromised. It is a risk that can't allowed by auditors. :)

Thanks for your tip with the conditional. Indeed the first part is only hardcoded for the localhost.  I could just remove it, however if its not removed already in the package, the moment the VM is rebootet (and this happens often automatically) the whole state of the file would go to the initial state. I wonder could I change this already within the scafolder? Life changing a PHP file not to produce this localhost bit of the conditional? Or is it completely driven by Wordpress and there is no chance to disable this?

Many Thanks,

Houman

Dec 8, 2011 at 10:12 PM

I just have found out its far simpler than i thought.

 

After running the Scaffold but before packaging simply go to WordPress\build\WordPress\WebRole and update wp-config.php.

There its enough to delete the first part of condition.  Now there won't be any plain text passwords in the config file anymore.

Sofar I have tested it without any side effects. Thats now a bullet proof security. :) 

 

Houman