Created
18th August 2023
Updated
18th August 2023
.env files generally contain environment specific information for a given web application. They are not specific to any particular CMS or web application (in other words, a .env file is not a Wordpress or Drupal specific file.)
They are a useful target for bots to target because they can reveal sensitive information such as API keys, and other compromising information. They tend to be accidentally provisioned to production servers by development and engineering teams.
The presence of a .env file on your server is not indicative of being hacked, but it is a security risk and should be blocked from access or if it can be, removed from public access.
For Apache web servers, you can hide this file by creating an .htaccess file in the document root and adding the following block into it:
# Disable index view
Options -Indexes
# Hide a specific file
<Files .env>
Order allow,deny
Deny from all
</Files>