Welcome to the Question2Answer Q&A. There's also a demo if you just want to try it out.
+3 votes
in Q2A Core by

As mentioned in the security tutorial : https://docs.question2answer.org/install/security/

Move the qa-config.php file to a location which is outside any directory served by your web server. Then create a new qa-config.php file in its place which references the old file using the require PHP function. If your web server were to become misconfigured and start serving the raw code in .php files, this would ensure that your MySQL details remain hidden.

I am not able to understand or apply it... please help me. I want to make sure to maximize the security for my website.. I've customized everything but this is the only thing I am not able to apply... it'll be very helpful to get an better and easy tutorial.

Q2A version: 1.8.5

1 Answer

+2 votes

Let's assume that your Q2A installation directory (the location where you unpacked the application archive) is /var/www/q2a. This directory is published by the webserver hosting the application. By default the config file would then be located at /var/www/q2a/qa-config.php, which is inside the published directory.

The recommendation is to move the file to some directory that is not published by the webserver, for instance the webserver config directory (/etc/nginx if you're using Nginx) or your userhome if you're using shared webhosting, and create a new file /var/www/q2a/qa-config.php that just includes the original file from its new location:

require_once '/etc/nginx/qa-config.php';

Beware that /etc/nginx/qa-config.php still needs to be readable by the webserver user or group (usually www-data).