Website config files often contain database credentials, API keys, salts, and environment settings that attackers can use to take over an application.
This guide explains how to protect website config files with proven security controls that reduce accidental exposure and make breaches harder to exploit.
Why website config files are high-value targets
Configuration files are attractive because they usually store the most sensitive application secrets in plain text or easily readable formats.
Common examples include .env files, wp-config.php, config.php, YAML files, JSON settings, and deployment manifests used by frameworks such as WordPress, Laravel, Django, and Node.js applications.
If an attacker reads these files, they may gain database access, authentication tokens, SMTP credentials, object storage keys, or cloud service permissions.
That can lead to data theft, website defacement, ransomware-style extortion, or lateral movement into other systems.
Store secrets outside the web root
The most important control is to keep sensitive config files outside the public document root whenever possible.
Files inside directories served by Apache, Nginx, or a content delivery path are more likely to be exposed by misconfiguration, backup leaks, or direct path enumeration.
- Place application secrets in a directory not accessible through the browser.
- Reference config files by absolute path rather than relative public paths.
- Split public settings from private secrets so the web server only serves non-sensitive assets.
For applications that require a config file in the project tree, lock down access at the web server and file system level so the file cannot be downloaded directly.
Use environment variables or secrets managers
Modern application security favors external secret storage over hardcoding sensitive values in files.
Environment variables, secret managers, and vault platforms reduce the chance that credentials will be committed to source control or exposed in a backup.
Common options for secret storage
- Environment variables: Useful for many PHP, Python, and Node.js deployments.
- Cloud secret managers: Examples include AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager.
- Vault platforms: Tools such as HashiCorp Vault can centralize secret distribution and rotation.
- Platform-managed secrets: Container orchestrators like Kubernetes support secret objects and injection patterns.
Even when using a secrets manager, ensure access policies are strict.
A secure storage system is only effective if the application identity can retrieve only the secrets it needs.
Lock down file permissions and ownership
Improper permissions are one of the most common reasons configuration files are exposed.
Each config file should have the minimum permissions required for the application to read it, and no more.
- Set ownership to the service account that runs the application.
- Remove unnecessary read, write, and execute permissions for group and other users.
- Avoid using broad permissions such as
chmod 777. - Separate deploy user access from runtime user access where possible.
On Linux and Unix systems, a typical secure pattern is read-only access for the application user and no public access for other accounts.
On Windows servers, use NTFS permissions to restrict access to the application identity and administrators.
Harden web server rules
Web server configuration is a critical line of defense if a config file sits in or near the web root.
Apache and Nginx can be configured to deny direct access to sensitive file types and names.
Protect common file patterns
- Block access to dotfiles such as
.env,.git, and.htpasswd. - Prevent direct downloads of backup files like
.bak,.old, and.zip. - Deny requests for configuration extensions such as
.ini,.yaml,.yml, and.jsonwhen they contain secrets.
In Apache, access controls can be applied through Directory or FilesMatch rules.
In Nginx, location blocks can deny access to hidden files and specific extensions.
Test these rules after deployment so they do not block legitimate application behavior.
Avoid storing secrets in source control
One of the fastest ways to expose website config files is to commit them to Git repositories.
Public leaks happen when developers push production credentials, configuration samples with real values, or forgotten backup files into a repository.
- Use
.gitignoreto exclude local config and secret files. - Store example values in template files such as
.env.exampleorconfig.sample.php. - Scan commits and branches for exposed keys before merging.
- Rotate any secret that was ever committed, even if the repository is private.
GitHub, GitLab, and Bitbucket all support secret scanning or repository security features that can help identify exposed credentials early.
Encrypt sensitive files at rest
Encryption adds an extra barrier if someone gains file-level access or steals a backup.
While encryption does not replace access control, it limits the usefulness of stolen files.
Useful approaches include full-disk encryption on servers, encrypted backups, and application-level encryption for highly sensitive values.
For cloud environments, enable encryption for attached volumes, object storage, and database snapshots.
Keep encryption keys separate from the encrypted data and manage access with strict identity controls.
Secure backups, staging, and deployment artifacts
Config files often leak through copies rather than the original.
Backups, staging sites, archive exports, CI/CD artifacts, and old deployment packages can all expose secrets if they are not handled carefully.
- Delete unused backup archives from public directories.
- Restrict access to staging environments that mirror production credentials.
- Sanitize build artifacts before publishing them to artifact repositories.
- Ensure deployment packages do not include local config files unless they are encrypted or injected at runtime.
Many incidents begin with a forgotten config.php.bak or .env.zip file left in a downloads folder or test directory.
Rotate secrets and use least privilege
If a config file is exposed, fast rotation can reduce impact.
Credentials should be designed so that compromise of one secret does not grant broad access to the entire environment.
- Use separate credentials for development, staging, and production.
- Limit database users to only the permissions required by the application.
- Assign API keys narrow scopes instead of full administrative access.
- Rotate passwords, tokens, and keys on a schedule and after any suspected exposure.
Least privilege also applies to services.
A web application should not use the same secret for database access, email delivery, cloud storage, and analytics if those functions can be separated.
Monitor for exposure and tampering
Security teams should actively monitor for configuration file exposure rather than assuming preventive controls are enough.
Attackers often probe for common file names, backup extensions, and framework-specific paths before launching an exploit.
Effective monitoring tactics
- Review web server logs for requests to sensitive file names and hidden paths.
- Alert on repeated 403 and 404 requests that suggest file enumeration.
- Use file integrity monitoring to detect unexpected changes in critical config files.
- Run regular vulnerability scans against staging and production environments.
If a config file is modified unexpectedly, treat it as a possible compromise and investigate immediately.
Build secure handling into your deployment process
Protecting website config files works best when it is part of the deployment pipeline.
Manual handling creates opportunities for mistakes, especially in fast-moving teams.
- Inject secrets during deployment instead of storing them in the repository.
- Use CI/CD role-based access controls so only approved jobs can retrieve secrets.
- Validate permissions and server rules as part of release checks.
- Document which config files are sensitive and who can access them.
Infrastructure as Code tools such as Terraform, Ansible, and Helm can help standardize deployment, but they must be configured to avoid leaking values into logs or state files.
How to protect website config files on WordPress and other CMS platforms?
Content management systems require special care because they often rely on a small number of critical files that attackers know by name.
In WordPress, wp-config.php is the most sensitive file because it contains database credentials and security salts.
Keep it outside the web root where possible, restrict file permissions, and block direct access through server rules.
For Drupal, Joomla, Magento, and similar platforms, apply the same principles: keep secrets out of public directories, deny direct access to config and backup files, and separate environment-specific values from application code.
Review platform documentation for recommended file placement and hardening settings.
What should be checked during a security review?
A practical security review should confirm that config files are not publicly reachable, are not committed to source control, and are protected by appropriate filesystem and server restrictions.
It should also verify that backups, staging sites, and deployment tools do not reveal production secrets.
- Can any config file be downloaded through the browser?
- Are backups or archives exposed in public directories?
- Do file permissions match the principle of least privilege?
- Are secrets stored in a dedicated manager rather than in code?
- Can exposed credentials be rotated quickly?
Answering these questions regularly is one of the most reliable ways to keep sensitive application settings out of an attacker’s hands.