Welcome to the new design! Please report any bugs or issues, thanks :)
Web Dev + WordPress + Security

Is it Secret? Is it Safe?

[ Enjoying the Evening ] Whenever I find myself working with PHP or messing around with server settings, I nearly always create a phpinfo.php file and place it in the root directory of whatever domain I happen to be working on. These types of informational files employ PHP’s handy phpinfo() function to display a concise summary of all of your server’s variables, which may then be referenced for debugging purposes, bragging rights, and so on.

While this sort of thing is normally okay, I frequently forget to remove the file and just leave it sitting there for the entire world to look at. This of course is a big “no-no” for site security, because the phpinfo.php file contains a hefty amount of information about my server, including stuff like:

  • The web server version
  • The IP address of the host
  • The version of the operating system
  • The root directory of the web server
  • Configuration information about the remote PHP installation
  • The username of the user who installed php and if they are a SUDO user

That, and tons more may be easily accessed quite easily by just about anyone looking for it. Of course, nefarious scum could then use this information to detect a vulnerability, exploit it, and feel better about their pathetic, wasted lives.

Remember to protect or remove any phpinfo.php or other sensitive files that you may have sitting around on your server.

So, wise readers, it is my advice to you (as well to myself) to remember to protect or remove any phpinfo.php or other sensitive files that you may have sitting around on your server. An information-disclosure attack may seem like a low priority affair, but if the attacker locates a vulnerability, you’re screwed.

How to protect your phpinfo and other sensitive files with htaccess

If you are constantly referring to the file and would rather not delete it, consider adding the following slice of HTAccess to keep it private for your IP only:

# protect phpinfo
<Files php-info.php>
	Order Deny,Allow
	Deny from all
	Allow from 123.456.789
</Files>

Edit this snippet to include your specific IP address, along with any other IPs that may require access. Just use additional Allow from 123.456.789 lines to do so.

Likewise, to protect other files, you can replace “php-info.php” with the name of the file, or use regular expressions to pattern-match specific file sets.

Remember, when it comes to sensitive data, take an old wizard’s advice:

Keep it secret. Keep it safe.

Jeff Starr
About the Author
Jeff Starr = Web Developer. Security Specialist. WordPress Buff.
WP Themes In Depth: Build and sell awesome WordPress themes.

35 responses to “Is it Secret? Is it Safe?”

  1. Jeff Starr
    Jeff Starr 2010/05/03 1:08 pm

    Hi Steve, yes it should work fine there below the Options directive. I’ll reply to email as soon as I get to it (hopefully soon).

  2. Okay so my blogs root .htaccess is my master gatekeeper?

    # END WordPress

    # protect phpinfo

    Order Deny,Allow
    Deny from all
    Allow from 123.456.789

    Is this it?

  3. Jeff Starr
    Jeff Starr 2010/05/11 4:21 pm

    Hey Steve, I wouldn’t say that, but it can go far in protecting sensitive material such as phpinfo.php.

    Also, the code you posted looks incorrect.. remember to wrap your code in <code> tags so that WordPress doesn’t gobble it..

  4. couldn’t you also chmod the file so it wouldn’t be publicly available?

  5. @brett: chmod won’t help with a phpinfo file as it only controls local access. Sure, you can deny it from apache, but then what’s the point, you might as well just delete it, or keep it outside the webroot. Locally there’s not much info in the phpinfo file …

  6. @connie et al: security through obscurity is NEVER a good idea.
    Like removing the “Entrance” sign but keep the door unlocked…
    It just delays the weakness being found.
    Now you can argue wheather a “difficult to gues” file name is not equivalent to a password. It is not!
    Anyone who manages to list the root directory has no bostacle anymore.

  7. Jeff Starr
    Jeff Starr 2010/06/12 4:54 pm

    Now you can argue wheather a “difficult to gues” file name is not equivalent to a password. It is not!

    Technically, isn’t using a password also “security through obscurity”?

    How is guessing a password any different than guessing a file name?

  8. Tanveer Malik 2010/07/18 12:21 pm

    how can we protect multiple file, like if we want to protect index.php file at the same time as well?

  9. Jeff Starr
    Jeff Starr 2010/07/18 4:25 pm

    Many ways to protect multiple files with htaccess.. either using regular expression or multiple deny blocks (or both).

  10. Not sure why but I was getting internal server error msg when tried to use the code in htaccess!! Didn’t check but most probably I placed the code in between of some other htaccess codes …Anyway instead of htaccess I used the Rod Homor trick which works great :) … Thanks @Rod Homor

  11. Wow thanks james i missed that. I was having the same problem

Comments are closed for this post. Something to add? Let me know.
Welcome
Perishable Press is operated by Jeff Starr, a professional web developer and book author with two decades of experience. Here you will find posts about web development, WordPress, security, and more »
USP Pro: Unlimited front-end forms for user-submitted posts and more.
Thoughts
2 things I hate to see in stylesheets: _ and #
Love VLC media player but it fails miserably when it comes to randomizing large collections of mp3 and other files.
Dashlane redesigned, stating proudly they "removed all filigree". Should have kept it; the app now looks generic and boring. Killed your identity.
Working on integration for setaPDF + EDD on the new books subdomain. Good times.
Toggle visibility of hidden files on Mac: Cmd + Shift + .
Great tool for checking browser caching for web pages and all included files.
The new minimalist design styled by 14KB of CSS (uncompressed and un-minified). That covers 850+ posts and pages spanning 15 years of diverse content.