—

Why it Matters

The Magento webroot (pub/) must stay clean and only contain files needed for the storefront. If old developer files, backups, or hidden files like .git or .env remain inside, attackers can easily download them and learn about your database, passwords, or source code.

Exposed artifacts give attackers an easy entry point without needing to exploit complex bugs. Keeping the webroot free of leftover files reduces information leaks and protects the store from quick, automated attacks that scan for these common mistakes.

Verification Steps

# Look for hidden files and folders inside pub/
find /var/www/magento/pub -maxdepth 2 -name ".*"

# Check for backups, SQL dumps, or archive files
find /var/www/magento/pub -type f \( -name "*.bak" -o -name "*.sql" -o -name "*.zip" \)

Remediation / Fix Guidance

1. Remove all hidden files like .git, .env, or editor configs from pub/.
2. Do not keep backups or temporary files inside the webroot. Store them outside the document root or in secure storage.
3. Update deployment scripts to exclude development artifacts from production builds.
4. Configure the web server (Nginx/Apache) to deny access to unexpected file types if they appear.

Examples

# Dangerous files exposed in pub/
pub/.git/
pub/.env
pub/db_backup.sql

# Clean webroot, only Magento public files
pub/index.php
pub/static/
pub/media/

References

• OWASP Top 10 — A05: Security Misconfiguration