What is a .env file, and why should you care?
You probably do not manage your website's code day-to-day. But somewhere inside your website's file structure, there is almost certainly a file called .env — or wp-config.php if you use WordPress — that contains the keys to your kingdom.
Database usernames and passwords. API keys for payment processors. Email service credentials. Sometimes even access tokens for cloud services like AWS or Google Cloud.
If that file is publicly accessible — meaning anyone with a browser can type your-domain.com/.env and read it — you have a critical vulnerability. And it is far more common than you think.
Open your browser and type: yourdomain.com/.env — if you see text (not a 404 error page), you have a critical vulnerability that needs fixing today. Also try yourdomain.com/wp-config.php and yourdomain.com/.git.
How does this happen? (It's not as stupid as it sounds)
Configuration files end up publicly exposed for entirely understandable reasons:
- A developer deploys a new version of the site and the .env file ends up in the public web root by mistake
- A hosting migration goes slightly wrong and folder permissions get reset
- A backup is created in a predictable location (/backup.zip, /site-backup-2024.tar.gz) and left there
- A developer adds a phpinfo.php file to debug a problem and forgets to remove it
None of these are acts of recklessness. They are accidents. But on the internet, accidents are permanent until someone fixes them.
"The most dangerous vulnerabilities in small business websites are not sophisticated zero-day exploits. They are configuration errors — files left in the wrong place, permissions set incorrectly. These are entirely preventable."
— PwC UK, Cyber Security Threat Intelligence Report, 2025What can an attacker actually do with your .env file?
Let's be specific, because "security risk" is too abstract to act on.
If your database credentials are exposed:
- Connect directly to your database and download every customer record, order, and piece of personal data you hold
- Delete your entire database — attackers sometimes do it for ransom, sometimes for malice
- Modify product prices, order records, or user account details
If your email service API keys are exposed:
- Send phishing emails from your domain to your entire customer list
- Run up thousands of pounds in email sending fees billed to your account
If your payment processor keys are exposed:
- Depending on the processor, attackers may be able to initiate refunds, access card data, or impersonate your business
"We have seen cases where exposed AWS credentials led to cloud bills of over £50,000 in a single weekend. Attackers spin up cryptocurrency mining operations on your account the moment they find valid keys." — KPMG UK, Incident Response Case Studies, 2025
How to fix it — and what to do if it's been exposed
Immediate fix steps:
- Delete the .env file from your public web root
- Add a deny rule to your .htaccess file:
deny from all
</Files>
- Rotate every credential that was in the file immediately — assume they have been compromised
- Check your server access logs for requests to /.env, /wp-config.php, /.git
- If you find evidence of access, treat it as a confirmed breach and notify your customers
Longer-term protection:
- Store sensitive credentials outside the web root entirely
- Use environment variables at the server level rather than file-based configuration
- Run a regular audit — at minimum annually, ideally whenever you deploy new code
"The cost of rotating credentials proactively is an afternoon. The cost of rotating them after a confirmed breach — plus customer notification, forensic review, and potential ICO reporting — is weeks and thousands of pounds."
— The Guardian, Small Business Security supplement, January 2026Key takeaways
- Exposed .env files are the 2nd most common critical finding in UK website audits
- They typically sit undetected for months or years — no alarm ever fires
- Consequences range from database theft to £50,000+ cloud bills
- The fix takes less than 30 minutes once you know the file is exposed
- The only way to know is to check — right now, not next month