Is not really an issue but a question

[kitsos]

You are saying that wp-config.php cannot be inside /wp/. Why can't be?

Thanks in advance.

K.

[cimocimocimo]

I'm sure it can be done but that would defeat the purpose of keeping WP in it's own directory. This is done so that everything in the /wp/ directory is the current checked out version of Wordpress.

[kitsos]

Yeah, but you still can add to .gitignore a file inside the /wp/ directory. So in your point of view there is not a serious practical reason for following this practice.

[atticoos]

@kitsos, adding a file inside the wp/ directory would defeat the purpose of git submodules. Keeping the separation of responsibilities between the current project, and it's dependency (wordpress) is why we want to be doing it like this.

[mathieuhays]

@kitsos the technical reason is that you must track your config file in your repository because of the configuration of the different stage and all the other parameters you might define inside. So you can't put it in your gitignore file.

Putting it in the submodule would be bad practises and might lead you to loose your configuration in the future.

[jasonlmann]

@mathieuhays That makes sense, but is there any security risk to including wp-config in a repo? Should I always use private repos with a site built in this way? Thanks.

[mathieuhays]

There is no security risk here because the database credentials are populated on deployment ( strings like %%DB_NAME%% are replaced when you deploy using WP Stack ) so you shouldn't replace them yourself (if that's what you're doing).

Actually there is still room for improvement security wise. If we wanted to be more secure we could also replace the salts and the db prefix in the same fashion as we do for the db credentials.

As for now, I would suggest using private repos.

[jasonlmann]

Thanks, that's really helpful. I didn't even know about WP Stack. Looking at that now. (As may be obvious, I am teaching myself as I go.)