[Developer]

Non-encrypted configuration.php

This is Quiz From Someone to developers team here we go

Quote:

Hey.

I just have a small question which ive been wondering about for a while.

Why is it the passwords in the configuration.php aint md5/hash etc. encrypted, and is it possible to get them encrypted with the standard joomla 1.5.* setup ?

I have had some hack issues, and it seemed they gained their knowledge from the configuration.php file, i know it might be stupid its located within the www root, but still, to me it would seem rather easy to make joomla use encrypted information for that section, and all im asking is a reason or an answer to why it isnt.

Im not that deep into the entire joomla framework, and this aint a bunch of whine, just pure "i want to know" to gain more knowledge about joomla as a whole, and how it works.

Kind regards, iPoul

and here da answer guys

<div class="postbody">IF you are really concerned, and IF you host on LAMP that allows "Options Override" you might be able to make use of the following in your .htaccess file. BUT this is basically security by obscurity and has already been acheived by Joomla! safety mechanisms in place.

<b>Code:

PHP Code:

<Files ~ "configuration.php">
    Order allow,deny
    Deny from all
</Files>


Placed at the bottom of your current Joomla! .htaccess file.