Exposed Files Checker

.env files (critical — database passwords, API keys, secret tokens), .git/config (critical — repository URL, remote origins), wp-config.php (critical — WordPress database credentials), .htpasswd (high — hashed credentials), phpinfo.php (high — PHP/server configuration), adminer.php (high — direct database access), phpmyadmin/ (high — database management), composer.json/lock (medium — dependency versions), package.json (low — Node.js dependencies), .DS_Store (low — macOS metadata), backup.sql/backup.zip (critical — database/site backups), .ssh/id_rsa (critical — SSH private keys), server-status/server-info (medium — Apache diagnostic pages).

Immediate steps: (1) Take the affected service offline or block access while you remediate. (2) Assume all secrets in .env are compromised — rotate ALL API keys, database passwords, and tokens immediately. (3) Check your access logs for the past 30 days to see if .env was accessed before you detected it. (4) Fix the root cause: move .env above webroot, add "deny from all" in .htaccess, or configure nginx to block dotfiles. (5) Audit all API keys and services affected — check for unauthorized access or usage. (6) Consider whether you need to notify affected users (GDPR breach notification within 72 hours).

An exposed .git directory allows attackers to reconstruct your entire source code, including historical versions. From .git/config, an attacker can see your repository URL. Using tools like git-dumper, they can download the complete repository including: all source code, commit history, removed files, hardcoded secrets in historical commits, and infrastructure configuration. This is one of the most dangerous file exposures. Fix it by blocking .git access in your server config: nginx "location ~ /\.git { deny all; }" or Apache "RedirectMatch 404 /\.git".

Nginx — add in server block: location ~ /\.(env|git|htaccess|htpasswd|DS_Store) { deny all; return 404; } Apache — add in .htaccess or httpd.conf: <FilesMatch "^\.(env|git|htaccess|htpasswd|DS_Store)"> Order deny,allow / Deny from all / </FilesMatch>. PHP files like phpinfo.php: just delete them from the server — they should never be on production. For .git directories: block the entire directory: <Directory "~/.*/\.git"> Deny from all </Directory>.

Yes — this tool only makes standard HTTP GET requests to specific paths on your website, the same type of requests any browser or search engine bot would make. It checks the same paths that security researchers, penetration testers, and unfortunately attackers routinely scan for. Running this check is equivalent to your web server logging a few HTTP 200/404/403 responses. The tool does not attempt to exploit any vulnerabilities — it only checks whether files are accessible. Use it to find exposures before attackers do.