Title: Idea: block "wp-config.php" in QUERY_STRING Last modified: August 24, 2016 --- # Idea: block "wp-config.php" in QUERY_STRING * Resolved [Vlada Smitka](https://wordpress.org/support/users/smitka/) * (@smitka) * [11 years ago](https://wordpress.org/support/topic/idea-block-wp-configphp-in-query_string/) * Hackers want to download wp-config.php often in case of LFI vulnerability (local file inclusion). * e.g. slider revolution exploit: admin-ajax.php?action=some_action&img=../wp- config.php * It may be a good idea to block string “wp-config.php” in the $query_string_string. * I am not aware of any consequences, I block these queries on all my servers. * [https://wordpress.org/plugins/block-bad-queries/](https://wordpress.org/plugins/block-bad-queries/) Viewing 4 replies - 1 through 4 (of 4 total) * Plugin Contributor [Julio Potier](https://wordpress.org/support/users/juliobox/) * (@juliobox) * [11 years ago](https://wordpress.org/support/topic/idea-block-wp-configphp-in-query_string/#post-6171132) * Yep, i admit this file has nothing to do in a URL thanks for tour support !! * Plugin Author [Jeff Starr](https://wordpress.org/support/users/specialk/) * (@specialk) * [11 years ago](https://wordpress.org/support/topic/idea-block-wp-configphp-in-query_string/#post-6171206) * Thanks for the idea, and just FYI you can block that string plus any other strings you see fit with the addons provided at Perishable Press: * [https://perishablepress.com/bbq-whitelist-blacklist/](https://perishablepress.com/bbq-whitelist-blacklist/) * Thread Starter [Vlada Smitka](https://wordpress.org/support/users/smitka/) * (@smitka) * [11 years ago](https://wordpress.org/support/topic/idea-block-wp-configphp-in-query_string/#post-6171224) * I noticed possibility to use hooks in your plugin. * So I made simple GUI interface to manage blacklists and whitelists from WP admin. It is based on your small addons. * [https://github.com/LyntServices/bbq-gui](https://github.com/LyntServices/bbq-gui) * Plugin Author [Jeff Starr](https://wordpress.org/support/users/specialk/) * (@specialk) * [10 years, 11 months ago](https://wordpress.org/support/topic/idea-block-wp-configphp-in-query_string/#post-6171383) * This is done in version 20150624 🙂 Viewing 4 replies - 1 through 4 (of 4 total) The topic ‘Idea: block "wp-config.php" in QUERY_STRING’ is closed to new replies. * ![](https://ps.w.org/block-bad-queries/assets/icon-256x256.png?rev=1471770) * [BBQ Firewall - Fast & Powerful Firewall Security](https://wordpress.org/plugins/block-bad-queries/) * [Frequently Asked Questions](https://wordpress.org/plugins/block-bad-queries/#faq) * [Support Threads](https://wordpress.org/support/plugin/block-bad-queries/) * [Active Topics](https://wordpress.org/support/plugin/block-bad-queries/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/block-bad-queries/unresolved/) * [Reviews](https://wordpress.org/support/plugin/block-bad-queries/reviews/) * 4 replies * 3 participants * Last reply from: [Jeff Starr](https://wordpress.org/support/users/specialk/) * Last activity: [10 years, 11 months ago](https://wordpress.org/support/topic/idea-block-wp-configphp-in-query_string/#post-6171383) * Status: resolved