When a school website accidentally exposes admin panels, config files, or backup archives, attackers don't need to hack — they just browse. Here's what to look for and how to lock things down.
A sensitive path is a URL on your school's website that should never be publicly accessible — but is. Common examples include:
| Path | What It Exposes |
|------|----------------|
| /wp-admin | WordPress admin login |
| /phpmyadmin | Database admin panel |
| /.git | Source code and history |
| /backup.zip | Full site or database backup |
| /config.php | Database credentials |
| /server-status | Apache server diagnostics |
| /.env | Environment variables, API keys |
| /admin, /administrator | Generic admin panels |
These paths are probed constantly by automated scanners — not just by targeted attackers. Within hours of a site going live, bots are already checking for them.
backup_2023.zip in the public folder and forgets to delete it./wp-admin unless explicitly moved or restricted.Exposed admin panels let attackers attempt brute-force logins. If the admin uses a weak or reused password, the site gets taken over — defaced, used to spread malware, or mined for student data.
Exposed config files reveal database credentials. An attacker with these can download your entire student database directly.
Exposed .git directories let attackers reconstruct your full source code, often revealing API keys, passwords, and internal logic.
Exposed backups contain everything — the database, uploaded files, and sometimes credential hashes that can be cracked offline.
The Site Scanner checks for dozens of common sensitive paths automatically. If it flags a result, take it seriously — the path is publicly reachable.
You can also check manually:
https://yourschool.edu.ph/wp-admin https://yourschool.edu.ph/.git/config https://yourschool.edu.ph/phpmyadmin https://yourschool.edu.ph/.env
If any of these return a page (even an error with content) rather than a clean 404, investigate immediately.
For admin panels, limit access to your school's IP range using your web server config or firewall:
# Nginx: restrict /wp-admin to office IP
location /wp-admin {
allow 203.0.113.10; # your school's IP
deny all;
}Delete backup files, .zip archives, and old copies from your web root. There is no reason these should be publicly accessible.
Ensure your web server doesn't show a file browser when a directory has no index file:
# Apache: add to .htaccess Options -Indexes
Database admin tools like phpMyAdmin should either be removed entirely (use a desktop client instead) or installed on a non-public port accessible only via VPN.
Services like Cloudflare (free tier available) can block automated path-scanning bots before they reach your server.
Interactive Path Scanner Demo: Enter any school portal URL and run a simulated path scan. Click on any 200 OK result to see the mock contents of what an attacker would find — database credentials, backup dumps, git repositories, and admin panels.