Support

Admin Tools

#13349 configuration.php protection

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Wednesday, 22 August 2012 02:56 CDT

Wednesday, 22 August 2012 02:38 CDT

user67498
Mandatory information about my setup:

Have I read the related troubleshooter articles above before posting (which pages?)? Yes
Have I searched the tickets before posting? Yes
Have I read the documentation before posting (which pages?)? Yes
Joomla! version: (2.5.6)
PHP version: (unknown)
MySQL version: (unknown)
Host: (optional, but it helps us help you)
Admin Tools version: (unknown)

Description of my issue:

Hi,

Do you suggest to move configuration.php outside of public_html folder according to the following guide?

1. Move configuration.php to a safe directory outside of public_html and rename it whatever you want. We use the name joomla.conf in this example.
2. Create a new configuration.php file containing only the following code:
<?php
require( dirname( __FILE__ ) . '/../joomla.conf' );
?>

Wednesday, 22 August 2012 02:56 CDT

nicholas
Hello Giannis,

No, I consider this an unnecessary and bad advice. It makes no sense and I will tell you why.

Joomla! can read the information on the file. If it couldn't it wouldn't work. If a hacker finds a vulnerability which allows him to dump Joomla! configuration variables he can dump them just fine.

If a hacker manages to install a C99 or similar script on your site (which allows him to view and edit files) it's quite trivial to open the configuration.php file, read it, see the real location of the configuration data and read the data just fine. If he's using an automated hacking script it's equally easy including the file and getting a dump of all configuration variables.

Therefore this advice is snakeoil security: it claims to improve your security but does nothing. It's like wearing a cardboard "bulletproof" vest. It won't stop any bullet but it will give you a false sense of security, ending up in killing you rather than protecting you.

Moreover, moving the configuration.php outside your site's root will cause a site restoration with Akeeba Backup lose all your configuration settings or even cause a restoration failure. Akeeba Backup expects to read the configuration.php file. Since it doesn't contain configuration files but tries to require() a file in an upper level, if the file doesn't exist the restoration will crash.

My advice: don't move the configuration.php file. Any non-lobotomised hacker can overcome that rudimentary measure in 10 seconds at worse.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!