
WordPress base configuration files on GitHub - ishener
https://github.com/search?utf8=%E2%9C%93&q=filename%3Awp-config.php+&type=Code&ref=searchresults
======
brightball
At what point do developers get criticized/held responsible for using public
repositories for private websites? I get it, people like github but when you
can get a private repo on bitbucket for free there's no excuse for this.

~~~
n0us
or just a bare repo on your server. I personally don't see the appeal of
Github for private projects at all.

~~~
bdcravens
Many hosted solutions integrate with private Github (OpsWorks, Codeship,
CircleCI, CodeClimate, and many more).

------
mahouse
150,000,000+ database passwords, of which 99.9999%+ are from local development
servers.

~~~
mattgibson
Excluding localhost and some obvious cases where the values are in a local
config file still leaves around 111,000:

[https://github.com/search?p=1&q=filename%3Awp-
config.php+DB_...](https://github.com/search?p=1&q=filename%3Awp-
config.php+DB_HOST++NOT+localhost+NOT+127.0.0.1+NOT+getenv%28%27DB_HOST%27%29+NOT+%24_ENV%5B%27DB_HOST%27%5D+NOT+%24env%5B%27db_host%27%5D&ref=searchresults&type=Code&utf8=%E2%9C%93)

~~~
onion2k
localhost in the case of Wordpress just means the database is running on the
same machine as the web server. Practically every WP instance is set up that
way.

~~~
panopticon
> localhost in the case of Wordpress

Uh, the concept of localhost is not unique to Wordpress in the slightest.

~~~
erikb
That's not what he meant. What he meant was reading that the database is on
localhost doesn't mean it's a development system. Many production instances of
Wordpress run the database on the same host. Therefore localhost can also mean
production. That might not be true for other services, but for Wordpress
that's common. This is what he meant.

------
pp19dd
Hmm. If you alter the search to "filename:wp-config.php FTP_PASS" you start
getting some that look like ... legit. For those who don't know, WordPress has
some level of access to hosting server via FTP, for upgrades and plugin
installs.

Pertinent config globals are FTP_BASE, FTP_CONTENT_DIR, FTP_PLUGIN_DIR,
FTP_PUBKEY, FTP_PRIKEY, and of course, FTP_USER, FTP_PASS, FTP_HOST.

~~~
waffl
In a similar vein, things like this
[https://github.com/search?utf8=%E2%9C%93&q=filename%3Aid_rsa...](https://github.com/search?utf8=%E2%9C%93&q=filename%3Aid_rsa&type=Code&ref=searchresults)
are also why passwording your private keys is very important. Tons of these
keys (why are people committing these to public repositories??) aren't
passworded. It astounds me that someone has the technical knowledge to create
an ssh key/pair, commit to github, and manage to send their unencrypted
private key off into the public sphere.

------
chrisxcross
1500 Results on Google:
[https://www.google.com/search?q=%22define%28+%27DB_PASSWORD%...](https://www.google.com/search?q=%22define%28+%27DB_PASSWORD%27%22++inurl%3A%22wp-
config.php%22+filetype%3Aphp)

~~~
userbinator
Does anyone else get a CAPTCHA on the next search after browsing through those
results?

~~~
kiproping
I got it too, I think its flagged because some people crawl google with those
search terms looking for vulnerable systems.

------
eterm
.net equivalent:

[https://github.com/search?utf8=%E2%9C%93&q=filename%3Aweb.co...](https://github.com/search?utf8=%E2%9C%93&q=filename%3Aweb.config+connectionString+password&type=Code&ref=searchresults)

------
chayesfss
Thought it was going to be template stuff for a min, clicked on the first one
and saw "/ __MySQL database password * / define('DB_PASSWORD',
'JasxkvpY72KKCdttdBqt');"

------
efriese
There are also salts/hashes in many of these configs...not such a great place
to store those =)

------
captn3m0
Another one I posted about sometime ago is filezilla config files. Found lots
of FTP servers with their passwords in the filezilla config files committed on
github. [0]

[0]:
[https://www.google.co.in/search?q=inurl%3Afilezilla+inurl%3A...](https://www.google.co.in/search?q=inurl%3Afilezilla+inurl%3Axml+site%3Agithub.com#q=inurl:filezilla+inurl:xml+site:github.com+-checker+%22%3CPass%3E%22)

------
getdavidhiggins
"Passwords" in the title is a bit misleading. Most of these are staging files
with little or no sensitive information there. However there is the odd bit of
interesting data there if you look hard enough.

Github search is an untapped resource just like Algolia Search is on
Hackernews. Infact I have largely replaced my Google searches with these ones
for more refined and curated results.

~~~
erikb
What do you mean with staging files, what is not sensitive about username and
password of the database?

~~~
getdavidhiggins
Well a Wordpress production site is a rare and precious thing to find on
Github. There are some that exist, but then even if I do find it:

1.) Password will be changed

2.) Possible honeypot

3.) Boring site is boring. No need to hack it. Not popular enough

Same goes for other databases on there. An enormous amount of cruft to wade
through to get anything remotely juicy/interesting. And the same heuristics
apply above: is it really so great that I logged into a boring MYSQL database
that is probably being monitored and has nothing interesting in there in the
first place?

------
red_admiral
Apart from putting your wp-config on github, it's also a terrible idea to use
short passwords like 'p@ss12' for a database password that will be sent from
one machine/program to another most of the time - such passwords should at the
very least look like 'jm0Y/ZGjxYZay2yraskQ5AbZ8Qe0r0pRVDdnEkaIvHU', computers
can remember strings that long and developers can copy-paste if it's stored in
a file already.

------
JosephRedfern
A majority of these results aren't actually wp-config.php files. If you sort
by date indexed, you'll see that the results include all manner of files.

    
    
        filename:"wp-config.php" "define('DB_NAME'," extension:php
    

seems to give better results

------
dataker
Just as bad, I see many developers leaving their Rails app with production
secret key.

It just takes more time.

------
edpichler
Security experts, I have a question: if a database server just allow
connections from a white list (trusted IP's), exposing database passwords on a
GIT repository is still a problem?

~~~
dragonwriter
In any case where _having_ passwords is relevant to security rather than just
a hindrance to usability, exposing passwords is a security problem. If
exposing a password isn't a security problem, you shouldn't require a password
in the first place.

~~~
brown
"Defense in depth" is a commonly accepted security principle that suggests
otherwise:

[https://en.wikipedia.org/wiki/Defense_in_depth_(computing)](https://en.wikipedia.org/wiki/Defense_in_depth_\(computing\))

~~~
dragonwriter
> "Defense in depth" is a commonly accepted security principle

Indeed.

> that suggests otherwise:

Except that it does no such thing. If you have passwords for defense in depth,
they both exist for security reasons and it is a security problem to expose
them (because you've just _eliminated_ part of your depth.)

Defense in depth means that the problems of any one layer being violated are
_mitigated_ by additional layers of security, it doesn't mean it suddenly
_ceases_ to be a security problem if one of your measures is compromised. It
just reduces the likely _immediate severity_ of such a compromise, providing a
greater chance of being able to effectively address it before it leads to an
actual breach.

------
anda-polito
UNLOQ.io increases the security of your digital properties through a
distributed authentication system that doesn’t require your users to remember
any passwords.

------
blackbeard
This is one reason we don't use cloud-based source code hosting. All it takes
is one idiot fork or an accident and wham, code everywhere.

------
brewcore
It's a good case for private repos, but an even better case for not committing
passwords to a repository in the first place.

~~~
toxican
I don't even bother committing any part of wordpress core. I just commit the
wp-content directory because unless you're a mad man, you shouldn't be
modifying anything outside of that directory. First rule of WordPress is don't
touch core! wp-config is definitely an exception, but better safe than sorry
to avoid issues like this.

------
ErikAugust
I've found something else in WordPress with this simple search method that I'd
argue is worse.

------
nadams
You do know that you can play the same game with other languages as well?

[https://github.com/search?utf8=%E2%9C%93&q=filename%3Asettin...](https://github.com/search?utf8=%E2%9C%93&q=filename%3Asettings.py+mysql&type=Code&ref=searchresults)

I feel like people don't accept the fact that people do stupid stuff in other
languages.

~~~
mjolk
I think you're being oversensitive about PHP.

Wordpress, and by extension, its predictably-named settings file, is an easy
search-target because it's very popular among novice/new developers.

~~~
nadams
> I think you're being oversensitive about PHP.

I'm just tired of seeing the same search on github for PHP config files.

> its predictably-named settings file

So does every other popular application and framework on the planet. This
isn't something specific to wordpress - we can play this game all day with
different applications, frameworks, and languages.

[https://github.com/search?q=mysql+user&type=Code&utf8=%E2%9C...](https://github.com/search?q=mysql+user&type=Code&utf8=%E2%9C%93)

------
mondainx
I found this search more interesting than someone pushing their wp-config to a
repo; also warning, some are nsfw
[https://github.com/search?p=100&q=filename%3Atits.jpg+&ref=s...](https://github.com/search?p=100&q=filename%3Atits.jpg+&ref=searchresults&type=Code&utf8=%E2%9C%93)

~~~
danielsamuels
That link is a great example to demonstrate how much Github search sucks now.
You've explicitly searched for filenames of "tits.jpg", but it's showing you a
complete mishmash of different files.

~~~
mondainx
I was surprised that it worked at all; I assumed some filtering would kill it
right away.

------
aikah
What is there to say ... developers , don't dump your projects on github
public repositories ... use bitbucket and free private repos if you can't
afford to pay FOR GOD SAKE !!! ...

!!! How many of them use the same credentials for their emails ? facebook ?
twitter ? for their AWS account ? this is a nightmare.

------
bdcravens
The first few repos I peeked at were several years since their last commit.

------
z92
Which is why I don't use any database password if the database is listening on
localhost only, which is the case most of the time.

~~~
cubehouse
I don't think this is a good idea, even if the database is just listening to
localhost. Say a malicious script gets uploaded to the machine, it will be
able to dump the entire database without any need to seek out credentials.

~~~
degenerate
Agree... it's better to still have credentials, but _ALSO_ only listen
locally. At least that way the credentials need to be found first!

------
bussiere
Is there a way to crap this ? Is there an api for github search ?

Regards

------
tvvocold
That's why i am using [https://Coding.net](https://Coding.net) (Chinese Only),
a China Startup, provide free and unlimited private repositories hosting
service with lots of feature like Code reviews,Custom domains,WebIDE... Go
private, guys!

