wordpress · Check
WordPress setup-config accessible — sealing the database configuration endpoint
GET `/wp-admin/setup-config.php` returned 200 with the WordPress configuration page. This endpoint should never be reachable in production: it lets a caller configure or reconfigure the database connection that powers the entire site.
Why it matters
Setup endpoints are often left in place after manual migrations. If they reach the public, an attacker can rewrite `wp-config.php` to point at their own database, effectively swapping out the entire site.
Real-world risk
The setup-config endpoint lets a caller (re)configure the database connection that powers the site. If it's reachable in production, an attacker can swap the backing database out from under you.
Fix steps (in order)
- Block /wp-admin/setup-config.php at your webserver or CDN (return 404 or 403).
- Remove the file from the production filesystem; it's only needed during initial setup.
- Audit your deploy automation so setup files are excluded from production builds.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (wp_setup_config_accessible) clears once the externally-observable signal is in place.