I'm confused. My conf folder is chmoded to 755, and that file is set to 644. That is how it happens when I upload, and that is not a risk. This line makes sure b2evo is reading that file:

if( !defined('EVO_CONFIG_LOADED') ) die( 'Please, do not access this page directly.' );

Good luck accessing my _basic_config file, I think. BTW I've also added an empty index.html file to every folder that no one ever needs to be inside and doesn't have it's own index file of some sort, but that's just my cheap way of shutting down open directories.

Can you show a link to where you're seeing all the grief about world readable? It's possible that whatever you're looking at needs to be reviewed and overhauled, but I can't say until I see it. Actually I can't say at all because I'm just a forum junkie who knows a little bit and posts a lot ;)

(Oh hey I HATE when someone forces a font size on me. You should see the disaster drill a phpbb forum admin made out of their installation! The buttons for "quote" and "reply" and stuff have shrank down to these teeny tiny things that the only way I can use them is by knowing where they are. It totally sucks! So I personally am happy that here I can read the buttons.)

Hi EdB. The permissions stuff is mentioned here: http://manual.b2evolution.net/Directory_and_file_permissions . An excerpt:

/blogs/conf/_basic_config.php
This file is critical, because it includes your database password! It needs to be writable by the webserver during installation, if you do not want to manually edit the file. It should have the most restrictive permissions as possible: 600 would be the best, if the owner of the file is the "PHP user" (where PHP gets executed as). If you are not sure, try it in the following order: 600, 660 and (not recommended) 666. After installation the file does not needs to be writable, so you could also use 400, 440 or (not recommended) 444.

The critical part with it is not the "write" part, but already the "read" part: you don't want anyone to be able to read your database credentials!

That page is linked to from here: http://manual.b2evolution.net/Tricky_stuff

More about small fonts.. I have seen web pages and software that I can only read by changing my monitor's font size settings and rebooting. Ugh..

I also have an issue with the instructions on that page. If I don't set my _basic_config.php file to 444 or 666 my blog will give an error instead of loading the page.

I'm not sure how anyone could access my _basic_config.php file since a direct access gives the "Do not access this page directly." message. But maybe there are some bad guys who can do it some other way....

But basically I just need to take my chances.

Is that file at 444 or 666 really vulnerable? Under what circumstances?

Yeah that page needs a lot of explaining. I have never chmoded that file to anything. Ever. I guess if I wanted to enter the connection credentials through a browser during installation I would have to chmod it up, do my install, then chmod it back down, but to me it seems so much easier to just edit the file locally and FTP the files up.

Stay tuned if you're interested, but for now I'll say don't sweat it. Tell the web guy that page is why you were all concerned, but don't sweat it. It'll be a while before a bottom line is found on what that page should say, but to me it shouldn't hardly even mention changing perms on that particular file. If it wants to it should say that the only time you need to change it is (see above) and that you have to change it back immediately upon completion.

The reason for making the file not world readable is that it contains database login and password information in clear text. If anyone ever gained access to the file, they could read the login and password information. Would you put your credit card information in that file? I agree with the recommendation about not making the file world readable but was wondering if this is really practical in most web setups, or if the people that wrote that piece of advice had any insight about hearing back about people's experience with it.