Securing wp-config leads to sensitive information leak on wp-settings

Question

I read the following tutorial, which mentions moving your config file out of an HTTP-accessible folder.

http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

I did this, and it works fine. And when I visit http://mysite.com/wp-config.php, I see a blank page, as expected. However, when I visit http://mysite.com/wp-settings.php, I receive the following error:

Warning: require(ABSPATHwp-includes/load.php) [function.require]: failed to open stream: No such file or directory in /home/{my user name}/mysite.com/wp-settings.php on line 19

Fatal error: require() [function.require]: Failed opening required 'ABSPATHwp-includes/load.php' (include_path='.:/usr/local/lib/php:/usr/local/php5/lib/pear') in /home/{my user name}/mysite.com/wp-settings.php on line 19

I'm new to WordPress and PHP, but not new to programming. Obviously, having my shell user's name output to the web if someone were to hit my wp-settings file is a no-no.

So, can you have your config file out of the web directory, as I have here, without files like wp-settings resulting in sensitive information leaked to the screen? Am I going about this all wrong?

Answer 1

Hm, core WP files are usually die properly if opened directly. It probably slipped developers to include check in this one or something.

The simple ways to fix this (and not really WP-specific) would be to:

• configure PHP on server to not display errors by default;
• restrict access to file with .htaccess or other means.