Be careful with backups of config.php

One big security hole that is all too common with Moodle is to take a backup of the config.php file and give it a non-php extension e.g. config.php.bak.

What this usually does is leave the file visible for viewing by anyone that visits that url e.g.

Because the file is not a PHP script, it will be rendered in plain text by the browser, and therefore expose any sensistive information in config.php like your database name, database user and password!

So if you need to back up your config.php file before editing make sure you put that backup outside of the public web server directory!
No Comments
Back to top