SecurityCritical

Sensitive files exposed on your WordPress site

Files containing your passwords, API keys or database backups are publicly accessible from the internet.

Why it matters

An attacker can retrieve your database credentials, secret keys and your entire site structure in seconds. This is the most directly exploitable vulnerability.

How to fix

  1. 1

    Delete or move the files

    Immediately delete unnecessary files (.env, *.sql, *.bak, phpinfo.php). For wp-config.php, move it one level above the web root (WordPress will find it automatically).

  2. 2

    Block access via .htaccess (Apache)

    apache
    # Block sensitive files
<FilesMatch "\.(env|sql|bak|old|backup|log|ini|conf|orig)$">
  Order allow,deny
  Deny from all
</FilesMatch>

# Block readme.html and debug.log
<FilesMatch "^(readme\.html|debug\.log|error_log|phpinfo\.php)$">
  Order allow,deny
  Deny from all
</FilesMatch>
  3. 3

    Block via Nginx

    nginx
    location ~* \.(env|sql|bak|old|backup|log)$ {
  deny all;
}
  4. 4

    Change all compromised keys

    If a .env or wp-config.php file was exposed, immediately change: database password, WordPress secret keys (wp-config.php → AUTH_KEY, SECURE_AUTH_KEY…), third-party API keys.

Related articles

SecurityWordPress out of date - outdated version detectedSecuritywp-login.php exposed without protectionSecurityDirectory listing enabled on WordPress

Ready to fix this issue on your site?

Audit my site for free →