Secure Your WordPress Config with DotEnv
The twelve-factor app is a methodology for building and deploying software on the cloud that is based on research by employees of the Heroku hosting platform. It’s designed to help developers keep their code isolated and setup in a way that minimizes risk. Number three on this list is to store the config in the environment because configuration varies substantially across deploys, code does not.
Vance Lucas created a PHP package named dotenv to address this concern and it allows you to put this configuration in a text file which are turned into environmental variables. This means you can keep all your credentials outside of version control and never have to expose them.
One of the major benefits of using this package is you do not have to edit your virtual hosts or .htaccess. Vance says, “It’s WAY easier than all the other ways you know of to set environment variables, and you’re going to love it.”.
I started a brand new project with WordPress and decided to implement this package to secure my wp-config.php and here is how you can implement it too.
Download and Setup WordPress
The first step is to download and install WordPress on your local machine. Here is how I set up my directory structure:
- site.com/
- site.com/public/
All of the WordPress files are placed in this public directory and the virtual host has that setup as the document root.
From here you can go through the typical WordPress setup wizard and have it create your database, fill out the wp-config, and set everything up.
Install PHP dotenv
PHP dotenv is a composer package which means you will need composer installed on your machine. The composer website has instructions for installation if you do not have it setup.
Next create a composer.json file either by running composer init from the (site.com) directory. Or you can create a composer.json file manually. Here is mine as an example:
{
"name": "ericlbarnes/wp",
"require": {
"vlucas/phpdotenv": "^2.2"
},
"authors": [
{
"name": "Eric L. Barnes",
"email": "me@mysite.com"
}
]
}Next from terminal run composer install and it will create a ./vendor directory and pull in this vlucas/phpdotenv package.
Modify wp-config
The final step is to modify the wp-config.php file and setup the dotenv class.
<?php
require_once(__DIR__ . '/../vendor/autoload.php');
(new \Dotenv\Dotenv(__DIR__.'/../'))->load();This tells the dotenv package to load the .env file from the directory just above the current.
Next, create a file named .env and include the following:
DB_NAME=wordpress
DB_USER=homestead
DB_PASSWORD=secret
DB_HOST=localhost
DB_PREFIX=wp_Now you can go through each constant in wp-config.php and use the environmental variable.
define('DB_NAME', getenv('DB_NAME'));
define('DB_USER', getenv('DB_USER'));
define('DB_PASSWORD', getenv('DB_PASSWORD'));
define('DB_HOST', getenv('DB_HOST'));Of course, these are just a few to get you started but are free to add any additional that would be of benefit to your setup.
To deploy this to production, you should SSH into your server and create the .env file manually with the correct details and then you are safe to deploy as you normally would.
Now with it all set, if you ever mistakenly make your git repo public, or share access with a third-party, your server credentials are safe.
