The shared hosting threat model

Many businesses choose local hosting companies in Lagos to satisfy regulatory preferences or keep latency low. However, shared hosting packages often suffer from poor user isolation. If another site on the same physical server is hacked, the attacker can traverse the file system and access your WordPress configuration file (wp-config.php).

We check file permission settings during our reviews. If your directories use permission flags like 777, any user on the server can read and write files inside your application workspace.

Pentest finding

Cross-site file traversal exposes database password

During an audit of a corporate website, we found that directory permissions on a shared server were misconfigured. By exploiting a vulnerability in a neighboring site, we traversed to the target's folder, read their wp-config.php file, and recovered the MySQL database password.

Exposed backup files and database folders

Developers occasionally create database backups and store them directly in the WordPress root directory using predictable filenames like backup.sql or site.zip.

We use web scanners and dictionary lists to locate these hidden files. If they are publicly accessible, we can download the database structure, extract customer lists, and crack administrator password hashes offline.

Hardening your WordPress configuration

To secure your WordPress deployment on local hosting providers:

# Add to .htaccess to prevent directory indexing
Options -Indexes

# Block access to the configuration file
<Files wp-config.php>
order allow,deny
deny from all
</Files>

Get your WordPress site audited

A compromised company website can damage your business reputation and spread malware to your customers. Simpa Labs will help you audit your server configuration, scan for exposed backups, and secure your database configurations.

Book a WordPress Audit