WPEngine _wpeprivate/config.json information disclosure

Description

WPEngine, a managed WordPress hosting provider, automatically creates a _wpeprivate directory containing a config.json file with sensitive configuration data including database credentials, API keys, and environment settings. When web server configurations are not properly hardened, this file can be accessed directly via HTTP requests without authentication, exposing critical infrastructure secrets to unauthorized parties.

Remediation

Immediately restrict public access to the <strong>_wpeprivate</strong> directory by implementing web server access controls:<br/><br/><strong>For Apache (.htaccess or virtual host configuration):</strong><pre>&lt;Directory /path/to/wordpress/_wpeprivate&gt; Require all denied &lt;/Directory&gt; # Or using .htaccess in the _wpeprivate directory: Deny from all</pre><br/><strong>For Nginx (server block configuration):</strong><pre>location ~* /_wpeprivate/ { deny all; return 403; }</pre><br/>After implementing these controls, verify the fix by attempting to access <strong>https://yourdomain.com/_wpeprivate/config.json</strong> directly - it should return a 403 Forbidden error. Additionally, consider rotating any exposed credentials as a precautionary measure.

References

Related Vulnerabilities