/etc/nginx/common/wpcommon.conf why protecting wp-config.txt?

So you have code on that file:

 # Disable wp-config.txt
location = /wp-config.txt {
  deny all;
  access_log off;
  log_not_found off;

What’s the purpose of that? I think it should be wp-config.php?

It’s because backup tools or plugins have been known to save a copy of your wp-config.php as wp-config.txt. If this is the case, an attacker could read your WordPress credentials after carrying out a trivial scan.

1 Like