I've installed Pligg using
DreamHost's one-click install. I have a shared hosting account.
Right now anybody can view my settings.php file (ie example.com/settings.php). It gives a nice error message in the browser window with the entire /home path, so people can then see the
DreamHost server I'm installed on and also my SFTP login. So they have everything they need to login to
DreamHost, apart from my password, which they could theoretically brute-force, or exploit a security hole in the various
DreamHost login methods (web panel, ftp, ssh etc).
The Pligg instructions say to change the permissions of settings.php but that's useless in my case because I'm on shared hosting and (to the best of my knowledge) ownerships/permissions don't work that way. All files are owned by my username. Making permissions restrictive to just me (not group or others) makes no difference--files still appear in the browser window.
The questions are:
1) Is there any way of changing references to settings.php in Pligg's config files so I can use a different filename? This offers security by obfuscation, which isn't ideal, but is better than right now.
2) Is there anything I can add to .htaccess? Somebody told me I can add a line turning off PHP error messages, but I don't know what it is (or even why this isn't turned off by
DreamHost).
Any help appreciated. I did a forum search and one or two others have this problem, so figuring out a cure would be helpful.