Funny email from a reader, that I figured would make a good post:
This is a funny redirect. I get one or two visits a day from teenage gangsters trying to enter my server by checking if a wp-config-file exists that is no longer the newest version. I got best panic results by linking to the Russian IT-Counter-intelligence Agency.
NOTE: You should NOT use this if you are ACTUALLY using WordPress. Also, I updated it to the FBI since that Russian site went down.
Redirect 301 /wp-config.php http://www.fbi.gov/
This is such a funny prank. Well done!
I have got to use this one. Brilliant idea!
Funny : )
404 error ?
How about linking to something like:
or a non-existing :
That is an awesome redirect! Serves them right!
I’m going to use this!
Love the idea..
but looks like http://svr.gov.ru/honeyd is no longer there …
or.. at lest 404ed today 09.22.2009
I got the same thing.
I don’t understand the note at the top:
“NOTE: You should NOT use this if you are ACTUALLY using WordPress.”
Can I use this on my wordpress blog?
If not, why?
Because if you ARE using wordpress, it needs to access that wp-config file in order to work, not be redirected away.
Of course it does, but PHP loads the file (any include for that matter) locally, right from the file system. Apache has nothing to do with that. It’s no problem to use this even if you do run WordPress.
Besides, wp-config.php should never be accessible from inside the document root anyway.
Sorry, bit of a late reply, but I just had to say something. Far too often made mistake. ;-)
Chris what do you mean by “if you are ACTUALLY using Wordpres”? Wouldn’t the only people using this snippet be WordPress users and therefore people ACTUALLY WordPress making this snippet useless then? I’m confused. Could you please give me an example of some one not ACTUALLY using WordPress and someone ACTUALLY using WordPress?
I’m confused about how this is confusing ;)
“Actually” using WordPress means downloading and installing WordPress on your server and building your site with it. If you do that, don’t use this. If you don’t do that, that means you aren’t using WordPress, and can use this cheezy snippet to mess with kiddy hackers who might assume that you are (running WordPress) and are trying to hack you by accessing that file.
СВР (SVR) – Foreign Intelligence Service
SO GOOD, thx.
Uhahaha! Wonderful trick :D
Show those hackers what’s upppp
I think I’ll send them to http://www.projecthoneypot.org.
so who is correct??????
“NOTE: You should NOT use this if you are ACTUALLY using WordPress”
or Colin Helvensteijn
“Of course it does, but PHP loads the file (any include for that matter) locally, right from the file system. Apache has nothing to do with that. It’s no problem to use this even if you do run WordPress.”
I would also like to know who is correct.
It’s very easy:
Wordpress works via PHP and can use the wp-config.php file.
That’s how PHP works.
So, Worpress can use the wp-config.php file without any problem.
A surfer tries to view (via Explorer, Firefox etc.) the wp-config.php (http://www.domain.com/wp-config.php) THEN he will be redirected via this funny trick.
Haha I like this, I think I’m deff going to add that to my .htaccess =)
Just found this and I think it’s awesome. I’ve always wanted to do something like this.
In my robots file I have some fake entries too and I often see people going to them.
Now I’m going to redirect them to http://www.fbi.gov/scams-safety/registry
Phahahha :D good isea! :D
This is very well done! I love the humor! I’ll be adding this to my WordPress Site.
Thanks very much for this! I’ve added as well.
Now you have got me confused! Help!
I am learning how to setup a WordPress site using your 3 episode series.
How do i protect my site against hackers?
If I wrote my website from scratch on Coda, then is there any way to do this?
I think the best protection of wp-config file is to put it on the parent directory of www or public_html as WP still knows where to get it from but it’s not accessible through the frontpage.
I’ve got the best idea:
Some more possible re-direct locations:
One thing – wh 301? Why to give a “power” to redirect location? Why just not to do normal redirect? ;)
Ha ha, very good one, I did something similar with my wireless network. I named it after a very famous devastating virus online, so if you want to hack my wireless, you may want to think it twice!
Okay. This is rather late of a reply, but oh what the hell. In case someone can’t figure out what the above says, I’ll break it down. …Not that I’d know just why you would be doing web development if you can’t understand this basic instruction here.
This is a prank. It is a joke. It is intended to fool people who THINK you use WordPress. Sure, it will work if you still run WordPress, but you will cause issues when your server accesses that specific file.
Makes sense? Sweet. If not…. Maybe you shouldn’t be trying web development. Or take a few English classes. Or hell – learn WordPress if you can’t infer why this might be a bad move to implement on a WordPress-powered site.
I really don’t understand why I can’t use this on WordPress site…
When and where WordPress makes a HTTP request to wp-config.php?!
It is included in PHP and PHP don’t care about .htaccess, apache e.t.c.
Or you say if I will redirect all my users to WWW prefix of my site (force WWW in domain mby for SEO), PHP will include files from WWW directory or other directory? I don’t think so :)
I would presume the comment not to use is based on the fact that most often people would not know how to access their config in several different ways. Personally I SSH to my server so thumbs up to this prank :)
This is awesome. Thanks Chris!
Chris, why have you said that you should not actually use this if you have WP?
If you have a look at the PHP code for WP, you see that it includes the wp-config.php file, as it should. It does not make a web request then eval the response – that would be dangerous. It would also be the only way for this htaccess prank to affect WP.
The file is loaded using the file system which is not affected by htaccess. Therefore, this is completely safe for use in WP environments. But don’t take my word for it, give it a go yourself.
It would be even funnier to redirect to a goatse… If you don´t know what a goastse is, don´t look it up unless you´ve got a really strong stomach and sick/twisted sense of humour!
So to anyone wondering about the comments vis-à-vis:
Chris perhaps was assuming the apache server would deny itself access to wp-config.php via a 301 redirect set in htaccess. This makes no sense because php running on a server doesn’t make TCP/IP requests to itself on the same local machine. The set of php files do their thing and allow access to the database, and this separation is what protects said DB.
In fact, this is often used to bolster the security of WordPress’s database-password-containing wp-config.php file:
PHP compiles on the server, “pre-processed” before any hypertext access (or “htaccess”). The name PHP itself is a nerdy inside joke in the that the acronym itself was pre-processed since it’s supposed to stand for “pre-processed hypertext” which would ordinary be “PPH”.