Hey, thanks for the updates.
I want to say I think the “Config Constants” plugin is a really bad idea from a security standpoint, much like the “phpmyadmin” plugin is.
That is way too much power/control with a high likely-hood of being abused. It’s also completely unnecessary since changes to the wp-config almost never happen after a secure install, and if changes do need to be made they are easily and swiftly done via SFTP or SSH. (I purposely left out FTP since it’s completely insecure).
I will say I have not reviewed the coding of the “Config Constants” plugin, so maybe it is written securely, but still, wow! It’s a clever idea sure…. but a Pandora’s box. Any moderately secure WP site would never keep the wp-config file in the root anyway, since it can and should be moved out of reach. The wp-config is after all the heart-n-soul of the WP site.
I’m pretty adamant about this (security), because I have new clients who come to me all the time who have been hacked. It is a common thing, and the size or social standing of your website is irrelevant, it happens to the best of sites.
In 80% of all the cases (I have worked with), the infiltration’s occurred for two reasons only. One, poor/insecure installation, and two, a free-for-all with the plugins on the site, the owners not realizing that just because a plugin works, saves you time, or appears cool, does not mean the coding it up-to-par, sanitized properly, or secure.
James began using WordPress in 2004. Being new to WordPress (and blogging in general), he quickly found the WordPress Support Forums and basically never left. James currently resides in sunny Southern California, where he enjoys bringing happiness to millions of WordPress.com users.
Hey, thanks for the updates.
I want to say I think the “Config Constants” plugin is a really bad idea from a security standpoint, much like the “phpmyadmin” plugin is.
That is way too much power/control with a high likely-hood of being abused. It’s also completely unnecessary since changes to the wp-config almost never happen after a secure install, and if changes do need to be made they are easily and swiftly done via SFTP or SSH. (I purposely left out FTP since it’s completely insecure).
I will say I have not reviewed the coding of the “Config Constants” plugin, so maybe it is written securely, but still, wow! It’s a clever idea sure…. but a Pandora’s box. Any moderately secure WP site would never keep the wp-config file in the root anyway, since it can and should be moved out of reach. The wp-config is after all the heart-n-soul of the WP site.
I’m pretty adamant about this (security), because I have new clients who come to me all the time who have been hacked. It is a common thing, and the size or social standing of your website is irrelevant, it happens to the best of sites.
In 80% of all the cases (I have worked with), the infiltration’s occurred for two reasons only. One, poor/insecure installation, and two, a free-for-all with the plugins on the site, the owners not realizing that just because a plugin works, saves you time, or appears cool, does not mean the coding it up-to-par, sanitized properly, or secure.