Comment

A Tour De Force! Bokanté + Michael League + Metropole Orkest, "Maison en Feu" (House on Fire)

49
Charles11/24/2020 5:42:12 pm PST

Only way that config file should have been visible on the internet is if their server wasn’t properly set up to serve PHP files at some point.

That actually happened to LGF once, back in the Jurassic Era, when our web host upgraded PHP and MySQL and forgot to configure Apache for PHP files. All the code for the site was exposed for a few short minutes. I remember sending a panicked email to them about it.

But not any passwords. Those were always stored outside the web root. It’s a real flaw in Wordpress that they locate a file with critical passwords in a web-accessible directory.