As the following article explains, "Nearly 1% of websites built with a content management system (like WordPress or Joomla) are unknowingly exposing their database password to anyone who knows where to look." https://www.feross.org/cmsploit/ This is due to a complex interaction between Apache, the user's text editor, and the way those content management systems are configured. The root problem is that if the user is editing a file like wp-config.php and the user's connection drops, then a backup file like wp-config.php~ is saved within the web root. Apache understands that a .php file should be run, not returned in cleartext; but Apache doesn't know anything about .php~ files. Consequently, Apache will return the entire contents of the file, in clear text -- exposing any passwords that may be stored in that file. I think there is an opportunity for Apache's default install to help protect against this sort of failure. And, seeing as today it affects 1% of an important class of web sites, I think that would be a valuable improvement to Apache. One plausible defense: Apache's default installation could recognize text editor backup files and could (in its default configuration) refuse to serve them. A simple approximation at this would be to add .php~, .php#, cgi~, .cgi#, .save, .swp, swo to the list of recognized extensions, and refuse to serve files with that extension (in Apache's default configuration). Basically, this is building a blacklist of files that Apache is not going to serve (in its default configuration). As a variant on this idea, the essay above suggests a rule like this: <Files ~ “(^#.*#|~|\.sw[op])$”> Order allow,deny Deny from all </Files> See also: http://nmap.org/nsedoc/scripts/http-config-backup.html http://wordpress.org/support/topic/attack-against-wp-configphp-with-a-tilde http://blog.tigertech.net/posts/wordpress-security-thoughts/