I am hosting my Wordpress blog on a shared server. It's a Ubuntu Linux server with Apache, PHP, MySQL. Customer files are stored in separate folders under /home.
All sensitive information about a Wordpress blog (like database username & password) are stored in a file wp-config.php as default. I tried to include this file from another hosting account on this server (simply with a relative path like ../MyHomeFolder/wp-config.php). And surprise! It can connect to my database with my credentials!
Is there way to protect my database from my evil neighbors?
What should the hosting company do to prevent customers from intruding into each other's database? I know the system admin personally, I can tell him what he must do.
Edit: The permission of my wp-config.php file is 644. So, my neighbors can't simply open it. But, all PHP files are run by apache user. So, they can include it.
Is there way to protect my database from my evil neighbors?
Change the file permissions to deny read-access, using chmod. Though this depends on how Apache and user accounts are configured on the server. It might be impossible to prevent read-access to the file to other users and still allow Apache to read it. You can try chmod 600 <filename> and see if your site still loads. If not, try chmod 640 <filename> and then try reading it with another user account.
What should the hosting company do to prevent customers from intruding into each other's database? I know the system admin personally, I can tell him what he must do.
He should be using chroot jails.
Don't bother. If your hosting provider is really that sloppy with security, you should seriously consider switching to another provider.