Shahid Malla
WHMCS

How to Secure WHMCS & Fix Exposed .git Repository Vulnerability

A complete step-by-step guide to testing, fixing, and preventing exposed .git repository leaks in WHMCS environments.

S Shahid Malla
· Jun 5, 2026 · 5 min read · 4 views
shahidmalla.com/blog/how-to-secure-whmcs-fix-exposed-git-repository-vulnerability
How to Secure WHMCS & Fix Exposed .git Repository Vulnerability

Introduction

This tutorial explains:

  • How attackers exploit exposed .git directories
  • How WHMCS configuration.php gets leaked
  • How to test your own website safely
  • How to secure WHMCS properly
  • How to secure Git deployments
  • How to remove sensitive files from Git history
  • The safest production deployment methods
  • How to verify your server is secure

This guide is intended for server owners and developers only.

What Happened

Many developers deploy websites directly from Git repositories.

If the .git folder becomes publicly accessible:

https://yourdomain.com/.git/

attackers can:

  • download Git metadata
  • reconstruct source code
  • recover deleted files
  • access WHMCS secrets
  • leak database credentials

The most dangerous file is:

configuration.php

because it contains:

  • database credentials
  • WHMCS encryption hash
  • system paths
  • license data

Step 1 — Check if .git Is Exposed

Open browser:

https://yourdomain.com/.git/HEAD

OR:

https://yourdomain.com/.git/config

If secure:

  • 403 Forbidden
  • or 404 Not Found

If vulnerable:
you will see contents like:

ref: refs/heads/main

or Git configuration details.

Step 2 — Install Git-Dumper Tool

macOS:

brew install pipx

Then:

pipx ensurepath

Restart terminal.

Install tool:

pipx install git-dumper

Verify:

git-dumper --help

Step 3 — Test Repository Exposure

Run:

git-dumper https://yourdomain.com/.git/ ./dumped-repo

If vulnerable, you will see:

Fetching .git/index [200]
Fetching .git/config [200]
Fetching .git/HEAD [200]

HTTP 200 means files are downloadable.

This confirms exposure.

Step 4 — Reconstruct Repository

Go inside dumped repo:

cd dumped-repo

Restore files:

git checkout .

If successful you may see:

Updated XXXX paths from the index

This means repository files were restored.

Step 5 — Check for WHMCS Configuration Leak

Search:

find . -name "configuration.php"

If file exists:

./configuration.php

then attackers could access your WHMCS credentials.

Step 6 — Verify Sensitive Data Exposure

Search database credentials:

grep -R "db_password" .

Search encryption hash:

grep -R "cc_encryption_hash" .

Search WHMCS config:

cat configuration.php

If values appear, secrets were exposed.

Step 7 — BEST WAY TO SECURE .git

Most Important Rule

Never keep .git inside public web root.

BAD:

/public_html/.git

GOOD:

/home/user/project/.git
/public_html = deployed files only

.htaccess protection is NOT enough alone because:

  • .htaccess can be deleted
  • Apache configs can change
  • Nginx ignores .htaccess
  • server migrations can re-expose files

The safest solution is:

  • keep Git repository outside web root
  • deploy only application files

Step 8 — Immediate Emergency Fix

If .git currently exists inside public_html:

Delete it:

rm -rf /public_html/.git

OR move it outside web root:

mv /public_html/.git /home/user/git-backup

Then test:

https://yourdomain.com/.git/config

It MUST return:

  • 403
  • or 404

ONLY.

Step 9 — Add Additional Protection Using .htaccess

Inside:

/public_html/.htaccess

Add:

RedirectMatch 404 /\.git

OR stronger:

<DirectoryMatch "^(.*/)?\.git/">
    Require all denied
</DirectoryMatch>

Even after removing .git, keep this rule for defense-in-depth.

Step 10 — Block Other Sensitive Files

Add:

<FilesMatch "^(\.env|\.git|\.svn|\.hg)">
    Require all denied
</FilesMatch>

This helps protect:

  • .env
  • .svn
  • .hg
  • hidden configuration files

Step 11 — Disable Directory Listing

Apache:

Options -Indexes

Step 12 — Remove Sensitive Files from Git

Add to .gitignore:

configuration.php
.env
/vendor
/storage/logs

Then remove tracking:

git rm --cached configuration.php

Commit:

git add .gitignore
git commit -m "Remove sensitive files"
git push

Step 13 — Remove Secrets from Git History

Even deleted files remain in Git history.

Install tool:

brew install git-filter-repo

Remove config from history:

git filter-repo --path configuration.php --invert-paths

Force push:

git push --force

Step 14 — Rotate All Credentials

Assume compromise if .git was exposed.

Immediately change:

  • MySQL password
  • WHMCS admin passwords
  • SSH passwords
  • cPanel password
  • FTP password
  • SMTP credentials
  • API keys
  • payment gateway credentials
  • Cloudflare/API tokens

Step 15 — Audit Server for Backdoors

Search suspicious PHP:

find . -name "*.php" | xargs grep -i "base64_decode"

Search eval usage:

find . -name "*.php" | xargs grep -i "eval("

Check recent modified files:

find . -mtime -7

Review unknown files carefully.

Step 16 — Check Cron Jobs

View cron jobs:

crontab -l

Remove unknown entries.

Step 17 — Enable Firewall & WAF

Recommended:

  • Cloudflare WAF
  • ModSecurity
  • Fail2Ban

Step 18 — Check Server Logs

Search access logs for:

.git/HEAD
.git/config
.git/index

This helps identify attackers scanning Git repositories.

Final Verification Checklist

These URLs MUST fail:

https://yourdomain.com/.git/config
https://yourdomain.com/.git/HEAD
https://yourdomain.com/.git/index

Result must be:

  • 403
  • or 404

ONLY.

If accessible:
your repository is vulnerable.

Best Professional Deployment Structure

Recommended secure setup:

/home/user/repository/.git
/home/user/repository/project-files
/public_html/deployed-files

Deploy only application files to public web root.

Never deploy .git.

Important Security Rules

Never:

  • commit configuration.php
  • keep .git public
  • store production secrets in GitHub
  • expose backups publicly

Always:

  • use .gitignore
  • rotate secrets after exposure
  • keep Git outside web root
  • audit custom WHMCS modules/hooks

Conclusion

Exposed .git directories are one of the most dangerous but commonly overlooked security issues in WHMCS and PHP hosting environments.

A single exposed .git directory can leak:

  • source code
  • API keys
  • database passwords
  • WHMCS encryption hashes
  • deleted secrets from Git history

Always:

  • remove .git from public web root
  • block sensitive files
  • ignore secrets in Git
  • rotate credentials after exposure
  • audit your server regularly


Topics

whmcs whmcs security

Share this article

Twitter LinkedIn WhatsApp
S

Written by

Shahid Malla

WHMCS expert, full-stack developer, technical lead at Fada.cloud. 10+ years building hosting platforms, custom modules, and automation that ships.

More about Shahid → Start a project

Trusted platforms

Prefer to hire through a platform?

Not sure about working directly? Hire me through Fiverr or Upwork instead - same me, same work, with the platform's buyer protection and escrow.

Fiverr Top Rated Seller Hire Upwork Top Rated Hire

Keep reading

More from the blog.

All articles →
WHMCS

WHMCS Live Chat Integration: The Complete Guide (2026)

A practical, no-fluff guide to WHMCS live chat integration: which tool to pick, the upgrade-safe hook method (with code), passing client context, and turning chat into real automation.
WHMCS

How to Add Live Chat to WHMCS (And Why It's the Best Thing You'll Do for Your Hosting Business This Year)

By Shahid Malla WHMCS Module Developer · Top Rated on Upwork & Fiverr · 200+ Custom WHMCS Modules Built
WHMCS

Building Custom WHMCS Reports: Admin Dashboard Analytics

WHMCS built-in reports cover basics. For MRR by product, cohort retention, churn, SLA tracking — you write custom reports. The easiest WHMCS module type to ship.

Got a project like this?

Tell me what you need - I'll send a real quote within 24 hours.

Start a project Contact