Is it Secret? Is it Safe?

Joseph McCullough – #1

Ouch, that seems like that could turn into a major problem. I haven’t had to deal with any of that, but thanks for the heads up.

Tell me if this would be a good idea, I’ve never done it before, just popped into my head

I include a docheading.php in all of my files that contains the doctype, charset, php constants, and a reference to my global css style sheet. If you do that or something similar, could you possibly tag this logic with it?

check if file phpinfo.php exists (using file_exists() )
If it exists
Mail to webmaster a message saying that phpinfo is still in the directory
AND BAD THINGS WILL ENSUE.

So you’ll get an email letting you know to delete it. You could also create a boolean value to make sure if a notification email has been sent it doesn’t continue to send every time a page loads.

Just a silly thought :)

Connie – #2

There is absolutely no need to call this file
phpinfo.php. You could as a weak step to protect, call it lkdfeorDasistidelIebederMATRosen.php, why not?

I am always frustrated

- to find these files at servers
- to find these files named phpinfo.php

no phantasy, no security!

Bjørn Johansen – #3

I totally agree with Connie here. It is absolutely no need to mess around with .htaccess.

If you want IP based security, you could just rewrite your phpinfo.php like this (Yes, it’s a one liner):

<?php if ($_SERVER['REMOTE_ADDR']=='123.456.789') phpinfo(); ?>

Ben Everard – #4

+1, why not write a post it and place it in the middle of your screen, then you won’t forget to delete it.

Equally like Connie said, name it super-cali-fragilistic-expiali-docious.php

Ben

Frank Martin – #5

I can’t understand why you’d ever create a separate file for this at all? Surely you wont need to reference this file enough to warrant keeping it there for the duration of a project.
Personally I’d use the same method as Bjørn then delete straight away, after all how long does it take to write that line of code into an existing file. Plus if it’s smack bang in the middle of your screen you can’t carry on working without deleting it..

patriciomg – #6

IMHO there’s no need to play with the .htaccess file for this. I see 3 alternatives:

1. Just ask to your sysadmin for the info you need. Done!

2. Create your script, upload it, load it, save the result in your pc, delete the script from your live system. done! The configuration in a live system does not change oft.

3. On virtual hosting there’s always a cpanel tool (or similar). Which means, there’s no need to create a phpinfo script.

I wonder why someone wants to have sensitive info in a live system.. Maybe I’m still sleepy, better I go for my coffee ration :)

regards.
Pat.

Musa – #7

Completely agree with Connie

Bart Jacobs – #8

To start, I never place a phpinfo file in the website root. I am always amused at the cleverness of web programmers and how they do their best to protect their work. I learn every single day.

Connie’s right, though, be creative with naming your files (especially temp files).

Stephanie – #9

I don’t know if you ever did a post about this (and apologies if you did). But I just started learning the tricks and ways of htacess. I’d be interested in learning more if you could compile some of the more common handy things that pros use now and again.

Rod Homor – #10

Another thing you could do is ONLY call and display the output functions IF a particular SUPER-GLOBAL variable is set in the query string. So, even if you forget to delete the file, you would be the only person to know WHAT URL value to use for that file / page to display the ‘sensitive’ data.

For example:

<?
if ( isset ( $_GET['super_secret_variable_name'] )) {
     phpinfo();
}

else {
     echo ( 'Are you forgetting something!!??!!' );
     exit;
}

Adrian – #11

After reading this post I decided to check the server on which this was posted.

http://perishablepress.com/php-info.php

Jeff_drumgod – #12

Hello, very nice your post. I created one on my site, based on their words, but translated into Portuguese - BR.
Congratulations on your blog.

URL: http://blog.webcres.com.br/como-proteger-o-seu-phpinfo-e-outros-arquivos-confidenciais-com-htaccess/

Shadow Caster – #13

I know I’m going to get blasted for this but shouldn’t it be the server admin’s job to make sure there are no vulnerabilities? And if the server gets hacked he will be a bit more proactive in defending it. From my experience any attacked websites/servers are brought back up within a few hours and don’t go down again for a long time afterwards.

Chris Gray – #14

Could this or a similar method be used to hide a directory from all but one IP in the same way?

Alfred Ayache – #16

The phpinfo.php file is one of the first ones I include in a system I’m developing. It continues to be useful for the lifetime of the app, so I don’t want to remove it. But I hate dealing with Apache, so no .htaccess for me. Instead, I put it in my admin directory, and test to make sure the user requesting it is logged in as an admin.

In the event the system is broken and I can’t log in, then I create the file using some weird name, and make sure to delete it when I’m done.

Jeepers! I thought *everyone* did that!

Francis – #17

Every security guy will tell you that naming thing with complex name is not a security protection.

Instead of being lazy why don’t you delete the files after you done? It take less than 10 sec to create a phpinfo file!

There’s no point of messing around with login, .htaccess or complex $_GET params. Just do yourself a favour and be professional! Delete what you don’t need when you’re done.

I do not wish to see your code! If can’t delete a file after you done I imagine the mess in your code.

Rod Homor – #18

Francis, I only use the GET parameter just in the rare case that I forget to delete the file. Not as a consistent security measure.

Now that this point has been clarified….

I completely agree with you, Francis. Delete the file!!

steve – #19

Joseph - The problem is that you are not using a proper URL shortening service for your links. There are many choices, but http://www.skyzop.com seems to be the best one out there. You can shrink your URLs and also earn money from it. You can also create a blog, write reviews, and lots more. The other option is bit.ly, but they do not offer any type of payment for your links. The choice is yours - Hope this helps

WP Tricks – #20

I will do it… thanks for share easy tips

keli – #21

@Jeff: while I agree with you, you really don’t need a phpinfo to find out the hosts IP (in fact you’d be hard pressed to view the site, if your browser wouldn’t know that already). Webserver and PHP versions can often be nicked from any error page (though, of course that can and should be disabled as well. most often it isn’t)

@shadowcaster: yes you will be and you should be. And go ask your server admin for a slap on my behalf. As a sysadmin, only I know how often do I have to do cleanup after careless / ignorant / stupid developers. While a sysadmin can — and more often than a webdeveloper, actually will — harden the systems defenses, they simply can’t always patch every hole a developer leaves in a system and no it’s not their job either. Point in case (and this is a reaally harmless issue, compared to most) how does the server admin know whether you still need that phpinfo code or not? Should we arbitrarily delete / block access to every potentially dangerous file we might find?

Please, please consider really seriously, that every security should be multi-layered. Both the developer must take any measure s/he can to code safe and quality code and the server admin must also make sure that the rest of the system is kept as secure as circumstances allow. Ignorance of either part is just recipe for disaster. And even if “in your experience” every attacked site is back in working order in short time, that probably meant a lot of stressful work for a few people in the background, so that you can continue to remain ignorant about the reality.

Steve – #22

Excuse me for asking idiot questions. I want to perform some htaccess protections and need clarification. I’ve been engaged in an 8 week crash course to learn everything possible about operating the WP platform.

domain’s root HTAccess file.

Here is my install structure.

/
htdocs
wpblog

Is the htdocs where root htaccess resides or is that in wpblog? I’m assuming htdocs.

Steve – #24

Thanks Jeff,

The only code in my htdocs .htaccess was . .

Options -Indexes

I placed it below that. Correct?

Also I sent you an email about my wpblog .htaccess

Actually wpblog is not the real name of my Wordpress root folder but I’m turning into a security fanatic now. Not quite a black belt yet though by a long shot.

Steve – #26

Okay so my blogs root .htaccess is my master gatekeeper?

# END WordPress

# protect phpinfo

Order Deny,Allow
Deny from all
Allow from 123.456.789

Is this it?

brett – #28

couldn’t you also chmod the file so it wouldn’t be publicly available?

keli – #29

@brett: chmod won’t help with a phpinfo file as it only controls local access. Sure, you can deny it from apache, but then what’s the point, you might as well just delete it, or keep it outside the webroot. Locally there’s not much info in the phpinfo file …

Eric – #30

@connie et al: security through obscurity is NEVER a good idea.
Like removing the “Entrance” sign but keep the door unlocked…
It just delays the weakness being found.
Now you can argue wheather a “difficult to gues” file name is not equivalent to a password. It is not!
Anyone who manages to list the root directory has no bostacle anymore.

Tanveer Malik – #32

how can we protect multiple file, like if we want to protect index.php file at the same time as well?

James – #34

Not sure why but I was getting internal server error msg when tried to use the code in htaccess!! Didn’t check but most probably I placed the code in between of some other htaccess codes …Anyway instead of htaccess I used the Rod Homor trick which works great :) … Thanks @Rod Homor