A site that I manage was recently compromised, and I am going through the steps to harden and re-secure the site. I would like to change the MySQL database password and want to make sure I do not take the site down (for more than a minute).
I am also concerned that if I manually change the database password directly in the wp-config.php file that it will be visible and un-encrypted. For example, if my initial password at install was "please" it would display in the wp-config.php file as "aDQps4txy".
So what is the best way to go about updating the database password?
A site that I manage was recently compromised, and I am going through the steps to harden and re-secure the site. I would like to change the MySQL database password and want to make sure I do not take the site down (for more than a minute).
I am also concerned that if I manually change the database password directly in the wp-config.php file that it will be visible and un-encrypted. For example, if my initial password at install was "please" it would display in the wp-config.php file as "aDQps4txy".
So what is the best way to go about updating the database password?
Share Improve this question edited Nov 21, 2019 at 20:43 Peter Mortensen 2682 silver badges10 bronze badges asked Nov 24, 2014 at 16:05 MagRatMagRat 3101 gold badge3 silver badges12 bronze badges3 Answers
Reset to default 4This is technically challenging. WordPress must have access to your DB password in plain text. Having access to the wp-config.php contents is already a breach of security in progress.
There are alternate approaches to configuration, such as loading credentials via environment variables, but in practice they are used exceedingly rarely because PHP's configuration file is a reasonable solution already.
It's not clear why you assume someone will get access to the configuration file. As a low-hanging fruit, you can place it outside of the web accessible directory. WordPress will scan for the configuration file up one directory level above itself. For subdirectory installs, you could use require to load configuration content from elsewhere, but even that is rarely done.
Your actual DB password is stored unencrypted in the wp-config.php, i.e., if your password is foobar, the corresponding line in wp-config.php is:
/** MySQL database password */
define('DB_PASSWORD', 'foobar');
As @Rarst pointed out:
Having access to wp-config.php contents is already breach of security in progress.
This is because PHP is a hypertext preprocessor. Anyone who accesses wp-config.php via their web browser will have the file routed through the server-side PHP interpreter. The interpreter passes only those data onto the client (the web browser) that it has been instructed to output. The DB password is not outputted by PHP. When I access my wp-config.php through my browser, I get an empty page with no source code at all because this file does not output anything at all.
However, it is not true that having the DB password stored unencrypted is completely risk-free. Anyone who gets the chance to bypass the PHP interpreter and hence read the file's source will gain access to your password. This is also what @Rarst meant. To be clear, this can also be a man-in-the-middle who is eavesdropping on your unencrypted FTP connection. The moment you download wp-config.php through an insecure FTP connection (in contrast to an encrypted SFTP connection) in order to edit it and re-upload it again to your server, the possibility your password being spied on does exist.
The easiest way to prevent most attacks is to keep your server up-to-date through security updates and to ensure to always use secure protocols (HTTP/FTP over TLS = HTTPS/FTPS instead of HTTP/FTP, alternatively SFTP, and SSH instead of Telnet) when dealing with sensitive data, i.e. when acting as administrator.
Read more on https://codex.wordpress/Hardening_WordPress.
One way this stuff can be exposed without CLI access is if the PHP module in Apache is absent or broken for whatever reason. In that case, it just dumps the raw PHP. I've not tested this recently; this was a few years ago. But it is not cool.
Technically, since WordPress is open source, you can just do something like this:
define('DB_PASSWORD', '`cat /etc/wp_db_pass | base64 -d`');
to create a safer place for the WordPress password file. In this example I'm assuming you created the password like so:
echo 'mypassword' | base64 > /etc/wp_db_pass
However, if you don't have commandline access you might be able to do something similar over FTP.