Should The Info.php File Be Publicly Visible?

Taiwanese dancers in costume at the Edinburgh Fringe Festival — Taiwanese dancers at the Edinburgh Fringe Festival

Question

On a WordPress website, should the ~/info.php file be publicly viewable so that anyone and everyone can view it?

That means going to the site and adding /info.php at the end of the URL. If you can see anything (other than a ‘page not found’) then the file is publicly viewable.

And if it is publicly viewable, then is it a vulnerability? And how can a site owner prevent the file content being publicly viewable?

Answer

The file ~/info.php poses a security concern if it’s publicly accessible because it outputs a full PHP configuration report, including the server OS and PHP version, the PHP modules that have been uploaded, the paths to the config files, and what functions have been enabled.

Details about the server can be used by attackers because knowing the PHP version and the extensions helps attackers exploit known vulnerabilities.

How Does The File Get There

php.ifo is not part of the default WordPress installation.

Usually the file gets there because it is added manually when a developer wants to check the PHP configuration and diagnose server setup issues during development, and the forgets to remove the file when he or she is finished.

But suppose the file was not manually added. Then how could it get there?

That’s where automatic installations come in. This file is most commonly added when a site is set up with a one-click installation, such as with tools like Softaculous, or the cPanel App Installer.

Solution

There are a two options. If you can FTP in to public_html then you can delete the info.php file. If you want to keep the file before you delete it then download it and keep a copy one your local machine and then delete it from the server.

Or you could keep it in place and add an instruction to your ‘.htaccess’ file to deny access to anyone but you.

For that you have to know your own IP address so you can see the file but no one else can.

Use one of the online ‘What Is My IP’ services to find your IP address and then, assuming an Apache setup add this at the end of the .htaccess file.

apache
<Files "info.php">
    Order Deny,Allow
    Deny from all
    Allow from IP.ADDRESS
</Files>

Will Removing The File Mess Up Anything?

There’s a short answer, and it is no. Removing the file will not harm a site in any way and it is safe to remove it. The proof of that is that the vast majority of installations do not have an info.php file.