File and Folder Access Check - Checking if configuration.php is outside of public html

There are several ways to protect such sensible files from public access, but most of them are not as feasible. A good way to protect your configuration.php file is to simply move it to a non-public folder. However, note that this isn't a simple copy and paste operation, certain modifications have to be made. Below we will provide step by step instructions on how to achieve this.


Step 1 : Move configuration.php to a safe directory outside of public_html.

Step 2: You will have to modify the /includes/defines.php and /administrator/includes/defines.php files, more precisely, this constant:

 
define( 'JPATH_CONFIGURATION',   JPATH_ROOT );
 

If, for example you wish to move the file up one level and into a folder named "test" the constant will look like this:

 
define('JPATH_CONFIGURATION', JPATH_ROOT . DIRECTORY_SEPARATOR .'..'. DIRECTORY_SEPARATOR . 'test');
 

Step 3: Make sure the configuration.php is not writable at all, so that it can not be overridden by com_config.

Step 4: If you need to change configuration settings, do it manually in the relocated configuration.php.

Note:

Using this method, even if the web-server somehow delivers the contents of PHP files, for example due to a misconfiguration, nobody can see the contents of the real configuration file. Having into consideration the downside if not being able adjust the global settings it is still a good method of protecting against malicious attacks.

Was this article helpful?

Yes No
Sorry about that

You Should Also Read

File and Folder Access Check - Checking if the Joomla! temporary folder is outside of public html HOT

File and Folder Access Check - Checking if the log folder is outside of public html

File and Folder Access Check - Checking if there are any files left in the Joomla! temporary folder.

File and Folder Access Check - Checking the integrity of your configuration.php file