I have some friends who use wordpress and have asked me for my opinion on keeping it secure between updates. My recommendations are standard, only allow specific IP's via .htaccess etc.

Although I came across this mental challenge, one friend pointed out a blog where the writer recommended storing your database username and password outside a publicly accessible area. For example, if your config file is /home/www/public_html/wp-config.php you should remove the variables for username and password and place them into /home/www/wp-config-unseen.php and reference them using an include statement from wp-config.php

Now I get the logic if wp-config.php could be seen naked however if the vulnerability is from a variable leak then this would offer no protection.

Is there something I am missing? What good can this do? Is there a PHP hack that would allow you to see an unprocessed file?

Thanks
-Mike

Not that I know of. Perhaps if php were printing errors to the browser and they could cause an error on that line somehow?

I see no real advantage, maybe I am wrong.

In the event there is a connection error only the username will be revealed to the browser. The password info will be yes if it was used and no if it wasn't.

Storing the files outside of public will not prevent anyone who gains access via ftp or the control panel from seeing, copying or dowloading the file.