explainer

Sensitive Paths Exposed: What It Means and Why It Matters

When a school website accidentally exposes admin panels, config files, or backup archives, attackers don't need to hack — they just browse. Here's what to look for and how to lock things down.

5 min readweb security, misconfiguration, admin panel

What Are Sensitive Paths?

A sensitive path is a URL on your school's website that should never be publicly accessible — but is. Common examples include:

| Path | What It Exposes |

|------|----------------|

| /wp-admin | WordPress admin login |

| /phpmyadmin | Database admin panel |

| /.git | Source code and history |

| /backup.zip | Full site or database backup |

| /config.php | Database credentials |

| /server-status | Apache server diagnostics |

| /.env | Environment variables, API keys |

| /admin, /administrator | Generic admin panels |

These paths are probed constantly by automated scanners — not just by targeted attackers. Within hours of a site going live, bots are already checking for them.

Why Schools Are Particularly At Risk

Aging systems: Many school websites run on old WordPress installs or custom PHP built years ago, often without ongoing maintenance.
No dedicated web administrator: The person who set up the site may have left, and nobody else knows what's installed.
Backup files left in web root: A common mistake — a developer creates backup_2023.zip in the public folder and forgets to delete it.
Default CMS paths never changed: WordPress always puts the admin at /wp-admin unless explicitly moved or restricted.

What Attackers Do With This Access

Exposed admin panels let attackers attempt brute-force logins. If the admin uses a weak or reused password, the site gets taken over — defaced, used to spread malware, or mined for student data.

Exposed config files reveal database credentials. An attacker with these can download your entire student database directly.

Exposed .git directories let attackers reconstruct your full source code, often revealing API keys, passwords, and internal logic.

Exposed backups contain everything — the database, uploaded files, and sometimes credential hashes that can be cracked offline.

How to Check Your Site

The Site Scanner checks for dozens of common sensitive paths automatically. If it flags a result, take it seriously — the path is publicly reachable.

You can also check manually:

```

https://yourschool.edu.ph/wp-admin

https://yourschool.edu.ph/.git/config

https://yourschool.edu.ph/phpmyadmin

https://yourschool.edu.ph/.env

```

If any of these return a page (even an error with content) rather than a clean 404, investigate immediately.

How to Fix It

1. Restrict access by IP or password

For admin panels, limit access to your school's IP range using your web server config or firewall:

```nginx

# Nginx: restrict /wp-admin to office IP

location /wp-admin {

allow 203.0.113.10; # your school's IP

deny all;

}

```

2. Remove files that shouldn't be there

Delete backup files, .zip archives, and old copies from your web root. There is no reason these should be publicly accessible.

3. Disable directory listing

Ensure your web server doesn't show a file browser when a directory has no index file:

```apache

# Apache: add to .htaccess

Options -Indexes

```

4. Move sensitive tools off the web root

Database admin tools like phpMyAdmin should either be removed entirely (use a desktop client instead) or installed on a non-public port accessible only via VPN.

5. Use a Web Application Firewall (WAF)

Services like Cloudflare (free tier available) can block automated path-scanning bots before they reach your server.

Related Resources

Site Scanner — check your site for exposed paths right now
School Cybersecurity Checklist — full hardening checklist
Common Attack Vectors in Philippine Schools — how attackers use exposed paths