Magebean Logo Magebean
← Back to Baseline

MB-R003Webroot hygiene

C01 File & Folder Permissions High

The webroot (pub/) must be free of leftover developer artifacts such as .git, .env, or backup files. These files often reveal credentials, configuration details, or source code. Attackers frequently probe for them as an easy first step to compromise.

Why it Matters

The Magento webroot (pub/) must stay clean and only contain files needed for the storefront. If old developer files, backups, or hidden files like .git or .env remain inside, attackers can easily download them and learn about your database, passwords, or source code.

Exposed artifacts give attackers an easy entry point without needing to exploit complex bugs. Keeping the webroot free of leftover files reduces information leaks and protects the store from quick, automated attacks that scan for these common mistakes.

Verification Steps

Manual (Unix)

# Look for hidden files and folders inside pub/
find /var/www/magento/pub -maxdepth 2 -name ".*"

# Check for backups, SQL dumps, or archive files
find /var/www/magento/pub -type f \( -name "*.bak" -o -name "*.sql" -o -name "*.zip" \)

Remediation / Fix Guidance

  1. Remove all hidden files like .git, .env, or editor configs from pub/.
  2. Do not keep backups or temporary files inside the webroot. Store them outside the document root or in secure storage.
  3. Update deployment scripts to exclude development artifacts from production builds.
  4. Configure the web server (Nginx/Apache) to deny access to unexpected file types if they appear.

Examples

Fail Example
# Dangerous files exposed in pub/
pub/.git/
pub/.env
pub/db_backup.sql
Pass Example
# Clean webroot, only Magento public files
pub/index.php
pub/static/
pub/media/

References