methodology / Security & Infrastructure / #7

Sensitive path exposure (.git, .env, /admin, xmlrpc.php, wp-login.php)

live factor #7 · Security & Infrastructure · scoring impl: implemented · weight 2%

What we measure

Some files and URL paths should never be reachable from the public internet — like `.git/config`, `.env`, or legacy WordPress endpoints. Each one that responds publicly is a separate attack surface.

How to improve your score

Configure web server to deny access to these paths. For WordPress: block `xmlrpc.php` if not used, restrict `/wp-admin` and `/wp-login.php` by IP, never deploy `.git/` or `.env` files to public directories.

Data source

Data source for this factor is not yet documented.

Scoring

Scoring formulas are versioned with the methodology. The current method (v1.1.0) maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.

Version history

← back to methodology