Is it Secret? Is it Safe?

♦ Posted by Jeff Starr in .htaccess, PHP, Security

Updated July 3, 2023 • 35 comments

[ Enjoying the Evening ] Whenever I find myself working with PHP or messing around with server settings, I nearly always create a phpinfo.php file and place it in the root directory of whatever domain I happen to be working on. These types of informational files employ PHP’s handy phpinfo() function to display a concise summary of all of your server’s variables, which may then be referenced for debugging purposes, bragging rights, and so on.

While this sort of thing is normally okay, I frequently forget to remove the file and just leave it sitting there for the entire world to look at. This of course is a big “no-no” for site security, because the phpinfo.php file contains a hefty amount of information about my server, including stuff like:

The web server version
The IP address of the host
The version of the operating system
The root directory of the web server
Configuration information about the remote PHP installation
The username of the user who installed php and if they are a SUDO user

That, and tons more may be easily accessed quite easily by just about anyone looking for it. Of course, nefarious scum could then use this information to detect a vulnerability, exploit it, and feel better about their pathetic, wasted lives.

Remember to protect or remove any phpinfo.php or other sensitive files that you may have sitting around on your server.

So, wise readers, it is my advice to you (as well to myself) to remember to protect or remove any phpinfo.php or other sensitive files that you may have sitting around on your server. An information-disclosure attack may seem like a low priority affair, but if the attacker locates a vulnerability, you’re screwed.

How to protect your phpinfo and other sensitive files with htaccess

If you are constantly referring to the file and would rather not delete it, consider adding the following slice of HTAccess to keep it private for your IP only:

# protect phpinfo
<Files php-info.php>
	Order Deny,Allow
	Deny from all
	Allow from 123.456.789
</Files>

Edit this snippet to include your specific IP address, along with any other IPs that may require access. Just use additional Allow from 123.456.789 lines to do so.

Likewise, to protect other files, you can replace “php-info.php” with the name of the file, or use regular expressions to pattern-match specific file sets.

Remember, when it comes to sensitive data, take an old wizard’s advice:

Keep it secret. Keep it safe.

ip mod_rewrite tips tricks

About the Author

Jeff Starr = Creative thinker. Passionate about free and open Web.

35 responses to “Is it Secret? Is it Safe?”

Shadow Caster 2010/03/19 9:49 am

I know I’m going to get blasted for this but shouldn’t it be the server admin’s job to make sure there are no vulnerabilities? And if the server gets hacked he will be a bit more proactive in defending it. From my experience any attacked websites/servers are brought back up within a few hours and don’t go down again for a long time afterwards.

Chris Gray 2010/03/19 3:37 pm

Could this or a similar method be used to hide a directory from all but one IP in the same way?

Jeff Starr 2010/03/22 2:00 pm • Post Author

@Joseph McCullough: Great idea for when you need to keep the file on the server. Thanks for sharing.

@Connie: There are cases where it is useful to have such informational files on the server. In such cases, I think it is more convenient/useful to name the files something like, “phpinfo_whateveryouwant.php” than just naming them arbitrarily (which could get confusing and slow down development). I agree it’s best to simply remove them, but this is not always possible or practical. In such cases, htaccess is one way of locking them down.

@Bjorn Johansen: Another excellent protection method. Thanks!

@Ben Everard: As mentioned, it may be more useful to include a recognizable name along with the nonsense characters. But yeah, renaming is a simple way of protecting it. HTAccess works even better because the file is still blocked even if something happens to find it.

@Frank Martin: There are many reasons why people keep a copy of loose informational files on the server. Mostly convenience, but other reasons as well. In these cases, it is important to protect the files. As explained in the article, deleting such files is the ideal solution.

@patriciomg: Great ideas! Thanks for sharing them with us.

@Musa: Duly noted. Thanks for voting ;)

@Bart Jacobs: Creative naming with recognizable file names is good, but actually blocking such files is even better, in my experience.

@Stephanie: Check out my htaccess tag archive! :)

@Rod Homor: Another excellent technique — thank you!

@Adrian: Fixed, thanks for checking ;)

@Jeff_drumgod: Thank you — that’s awesome :)

@Shadow Caster: Perhaps, but there’s millions of different strategies and ways of doing things. Just trying to help those who can use it.

@Chris Gray: Yep, just use a wildcard * for the file name and place the htaccess file in the directory you would like to protect.

Alfred Ayache 2010/03/22 7:08 pm

The phpinfo.php file is one of the first ones I include in a system I’m developing. It continues to be useful for the lifetime of the app, so I don’t want to remove it. But I hate dealing with Apache, so no .htaccess for me. Instead, I put it in my admin directory, and test to make sure the user requesting it is logged in as an admin.

In the event the system is broken and I can’t log in, then I create the file using some weird name, and make sure to delete it when I’m done.

Jeepers! I thought *everyone* did that!

Rod Homor 2010/03/24 10:15 am

Francis, I only use the GET parameter just in the rare case that I forget to delete the file. Not as a consistent security measure.

Now that this point has been clarified….

I completely agree with you, Francis. Delete the file!!

Francis 2010/03/24 10:04 am

Every security guy will tell you that naming thing with complex name is not a security protection.

Instead of being lazy why don’t you delete the files after you done? It take less than 10 sec to create a phpinfo file!

There’s no point of messing around with login, .htaccess or complex $_GET params. Just do yourself a favour and be professional! Delete what you don’t need when you’re done.

I do not wish to see your code! If can’t delete a file after you done I imagine the mess in your code.

steve 2010/03/28 2:45 am

Joseph – The problem is that you are not using a proper URL shortening service for your links. There are many choices, but http://www.skyzop.com seems to be the best one out there. You can shrink your URLs and also earn money from it. You can also create a blog, write reviews, and lots more. The other option is bit.ly, but they do not offer any type of payment for your links. The choice is yours – Hope this helps

WP Tricks 2010/03/29 12:11 am

I will do it… thanks for share easy tips

keli 2010/04/20 10:58 am

@Jeff: while I agree with you, you really don’t need a phpinfo to find out the hosts IP (in fact you’d be hard pressed to view the site, if your browser wouldn’t know that already). Webserver and PHP versions can often be nicked from any error page (though, of course that can and should be disabled as well. most often it isn’t)

@shadowcaster: yes you will be and you should be. And go ask your server admin for a slap on my behalf. As a sysadmin, only I know how often do I have to do cleanup after careless / ignorant / stupid developers. While a sysadmin can — and more often than a webdeveloper, actually will — harden the systems defenses, they simply can’t always patch every hole a developer leaves in a system and no it’s not their job either. Point in case (and this is a reaally harmless issue, compared to most) how does the server admin know whether you still need that phpinfo code or not? Should we arbitrarily delete / block access to every potentially dangerous file we might find?

Please, please consider really seriously, that every security should be multi-layered. Both the developer must take any measure s/he can to code safe and quality code and the server admin must also make sure that the rest of the system is kept as secure as circumstances allow. Ignorance of either part is just recipe for disaster. And even if “in your experience” every attacked site is back in working order in short time, that probably meant a lot of stressful work for a few people in the background, so that you can continue to remain ignorant about the reality.

Steve 2010/04/29 2:40 pm

Excuse me for asking idiot questions. I want to perform some htaccess protections and need clarification. I’ve been engaged in an 8 week crash course to learn everything possible about operating the WP platform.

domain’s root HTAccess file.

Here is my install structure.

/
htdocs
wpblog

Is the htdocs where root htaccess resides or is that in wpblog? I’m assuming htdocs.

Jeff Starr 2010/05/02 1:17 pm • Post Author

Steve, you’ll want to place it in the web-accessible root directory, which in your case looks like htdocs. One way to check is to upload some random file from either directory and then see which one appears at domain.tld/random.file (as opposed to domain.tld/wpblog/random.file).

Steve 2010/05/02 2:59 pm

Thanks Jeff,

The only code in my htdocs .htaccess was . .

Options -Indexes

I placed it below that. Correct?

Also I sent you an email about my wpblog .htaccess

Actually wpblog is not the real name of my WordPress root folder but I’m turning into a security fanatic now. Not quite a black belt yet though by a long shot.

Comments are closed for this post. Something to add? Let me know.

Shadow Caster 2010/03/19 9:49 am

I know I’m going to get blasted for this but shouldn’t it be the server admin’s job to make sure there are no vulnerabilities? And if the server gets hacked he will be a bit more proactive in defending it. From my experience any attacked websites/servers are brought back up within a few hours and don’t go down again for a long time afterwards.
Chris Gray 2010/03/19 3:37 pm

Could this or a similar method be used to hide a directory from all but one IP in the same way?
Jeff Starr 2010/03/22 2:00 pm • Post Author

@Joseph McCullough: Great idea for when you need to keep the file on the server. Thanks for sharing.

@Connie: There are cases where it is useful to have such informational files on the server. In such cases, I think it is more convenient/useful to name the files something like, “phpinfo_whateveryouwant.php” than just naming them arbitrarily (which could get confusing and slow down development). I agree it’s best to simply remove them, but this is not always possible or practical. In such cases, htaccess is one way of locking them down.

@Bjorn Johansen: Another excellent protection method. Thanks!

@Ben Everard: As mentioned, it may be more useful to include a recognizable name along with the nonsense characters. But yeah, renaming is a simple way of protecting it. HTAccess works even better because the file is still blocked even if something happens to find it.

@Frank Martin: There are many reasons why people keep a copy of loose informational files on the server. Mostly convenience, but other reasons as well. In these cases, it is important to protect the files. As explained in the article, deleting such files is the ideal solution.

@patriciomg: Great ideas! Thanks for sharing them with us.

@Musa: Duly noted. Thanks for voting ;)

@Bart Jacobs: Creative naming with recognizable file names is good, but actually blocking such files is even better, in my experience.

@Stephanie: Check out my htaccess tag archive! :)

@Rod Homor: Another excellent technique — thank you!

@Adrian: Fixed, thanks for checking ;)

@Jeff_drumgod: Thank you — that’s awesome :)

@Shadow Caster: Perhaps, but there’s millions of different strategies and ways of doing things. Just trying to help those who can use it.

@Chris Gray: Yep, just use a wildcard * for the file name and place the htaccess file in the directory you would like to protect.
Alfred Ayache 2010/03/22 7:08 pm

The phpinfo.php file is one of the first ones I include in a system I’m developing. It continues to be useful for the lifetime of the app, so I don’t want to remove it. But I hate dealing with Apache, so no .htaccess for me. Instead, I put it in my admin directory, and test to make sure the user requesting it is logged in as an admin.

In the event the system is broken and I can’t log in, then I create the file using some weird name, and make sure to delete it when I’m done.

Jeepers! I thought *everyone* did that!
Rod Homor 2010/03/24 10:15 am

Francis, I only use the GET parameter just in the rare case that I forget to delete the file. Not as a consistent security measure.

Now that this point has been clarified….

I completely agree with you, Francis. Delete the file!!
Francis 2010/03/24 10:04 am

Every security guy will tell you that naming thing with complex name is not a security protection.

Instead of being lazy why don’t you delete the files after you done? It take less than 10 sec to create a phpinfo file!

There’s no point of messing around with login, .htaccess or complex $_GET params. Just do yourself a favour and be professional! Delete what you don’t need when you’re done.

I do not wish to see your code! If can’t delete a file after you done I imagine the mess in your code.
steve 2010/03/28 2:45 am

Joseph – The problem is that you are not using a proper URL shortening service for your links. There are many choices, but http://www.skyzop.com seems to be the best one out there. You can shrink your URLs and also earn money from it. You can also create a blog, write reviews, and lots more. The other option is bit.ly, but they do not offer any type of payment for your links. The choice is yours – Hope this helps
WP Tricks 2010/03/29 12:11 am

I will do it… thanks for share easy tips
keli 2010/04/20 10:58 am

@Jeff: while I agree with you, you really don’t need a phpinfo to find out the hosts IP (in fact you’d be hard pressed to view the site, if your browser wouldn’t know that already). Webserver and PHP versions can often be nicked from any error page (though, of course that can and should be disabled as well. most often it isn’t)

@shadowcaster: yes you will be and you should be. And go ask your server admin for a slap on my behalf. As a sysadmin, only I know how often do I have to do cleanup after careless / ignorant / stupid developers. While a sysadmin can — and more often than a webdeveloper, actually will — harden the systems defenses, they simply can’t always patch every hole a developer leaves in a system and no it’s not their job either. Point in case (and this is a reaally harmless issue, compared to most) how does the server admin know whether you still need that phpinfo code or not? Should we arbitrarily delete / block access to every potentially dangerous file we might find?

Please, please consider really seriously, that every security should be multi-layered. Both the developer must take any measure s/he can to code safe and quality code and the server admin must also make sure that the rest of the system is kept as secure as circumstances allow. Ignorance of either part is just recipe for disaster. And even if “in your experience” every attacked site is back in working order in short time, that probably meant a lot of stressful work for a few people in the background, so that you can continue to remain ignorant about the reality.
Steve 2010/04/29 2:40 pm

Excuse me for asking idiot questions. I want to perform some htaccess protections and need clarification. I’ve been engaged in an 8 week crash course to learn everything possible about operating the WP platform.

domain’s root HTAccess file.

Here is my install structure.

/
htdocs
wpblog

Is the htdocs where root htaccess resides or is that in wpblog? I’m assuming htdocs.
Jeff Starr 2010/05/02 1:17 pm • Post Author

Steve, you’ll want to place it in the web-accessible root directory, which in your case looks like htdocs. One way to check is to upload some random file from either directory and then see which one appears at domain.tld/random.file (as opposed to domain.tld/wpblog/random.file).
Steve 2010/05/02 2:59 pm

Thanks Jeff,

The only code in my htdocs .htaccess was . .

Options -Indexes

I placed it below that. Correct?

Also I sent you an email about my wpblog .htaccess

Actually wpblog is not the real name of my WordPress root folder but I’m turning into a security fanatic now. Not quite a black belt yet though by a long shot.

« Previous Comments • 123 • Newer Comments »