SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Learn
explainer

Sensitive Paths Exposed: What It Means and Why It Matters

When a school website accidentally exposes admin panels, config files, or backup archives, attackers don't need to hack — they just browse. Here's what to look for and how to lock things down.

5 min readweb security, misconfiguration, admin panel

What Are Sensitive Paths?

A sensitive path is a URL on your school's website that should never be publicly accessible — but is. Common examples include:

| Path | What It Exposes |

|------|----------------|

| /wp-admin | WordPress admin login |

| /phpmyadmin | Database admin panel |

| /.git | Source code and history |

| /backup.zip | Full site or database backup |

| /config.php | Database credentials |

| /server-status | Apache server diagnostics |

| /.env | Environment variables, API keys |

| /admin, /administrator | Generic admin panels |

These paths are probed constantly by automated scanners — not just by targeted attackers. Within hours of a site going live, bots are already checking for them.

Why Schools Are Particularly At Risk

  • Aging systems: Many school websites run on old WordPress installs or custom PHP built years ago, often without ongoing maintenance.
  • No dedicated web administrator: The person who set up the site may have left, and nobody else knows what's installed.
  • Backup files left in web root: A common mistake — a developer creates backup_2023.zip in the public folder and forgets to delete it.
  • Default CMS paths never changed: WordPress always puts the admin at /wp-admin unless explicitly moved or restricted.

What Attackers Do With This Access

Exposed admin panels let attackers attempt brute-force logins. If the admin uses a weak or reused password, the site gets taken over — defaced, used to spread malware, or mined for student data.

Exposed config files reveal database credentials. An attacker with these can download your entire student database directly.

Exposed .git directories let attackers reconstruct your full source code, often revealing API keys, passwords, and internal logic.

Exposed backups contain everything — the database, uploaded files, and sometimes credential hashes that can be cracked offline.

How to Check Your Site

The Site Scanner checks for dozens of common sensitive paths automatically. If it flags a result, take it seriously — the path is publicly reachable.

You can also check manually:

https://yourschool.edu.ph/wp-admin
https://yourschool.edu.ph/.git/config
https://yourschool.edu.ph/phpmyadmin
https://yourschool.edu.ph/.env

If any of these return a page (even an error with content) rather than a clean 404, investigate immediately.

How to Fix It

1. Restrict access by IP or password

For admin panels, limit access to your school's IP range using your web server config or firewall:

# Nginx: restrict /wp-admin to office IP
location /wp-admin {
    allow 203.0.113.10;  # your school's IP
    deny all;
}

2. Remove files that shouldn't be there

Delete backup files, .zip archives, and old copies from your web root. There is no reason these should be publicly accessible.

3. Disable directory listing

Ensure your web server doesn't show a file browser when a directory has no index file:

# Apache: add to .htaccess
Options -Indexes

4. Move sensitive tools off the web root

Database admin tools like phpMyAdmin should either be removed entirely (use a desktop client instead) or installed on a non-public port accessible only via VPN.

5. Use a Web Application Firewall (WAF)

Services like Cloudflare (free tier available) can block automated path-scanning bots before they reach your server.

Try the Live Demo

Interactive Path Scanner Demo: Enter any school portal URL and run a simulated path scan. Click on any 200 OK result to see the mock contents of what an attacker would find — database credentials, backup dumps, git repositories, and admin panels.

Launch Sensitive Paths Demo →

Related Resources

  • Site Scanner — check your site for exposed paths right now
  • School Cybersecurity Checklist — full hardening checklist
  • Common Attack Vectors in Philippine Schools — how attackers use exposed paths
More ArticlesTry the Site Scanner →