The shared hosting threat model
Many businesses choose local hosting companies in Lagos to satisfy regulatory preferences or keep latency low. However, shared hosting packages often suffer from poor user isolation. If another site on the same physical server is hacked, the attacker can traverse the file system and access your WordPress configuration file (wp-config.php).
We check file permission settings during our reviews. If your directories use permission flags like 777, any user on the server can read and write files inside your application workspace.
Cross-site file traversal exposes database password
During an audit of a corporate website, we found that directory permissions on a shared server were misconfigured. By exploiting a vulnerability in a neighboring site, we traversed to the target's folder, read their wp-config.php file, and recovered the MySQL database password.
Exposed backup files and database folders
Developers occasionally create database backups and store them directly in the WordPress root directory using predictable filenames like backup.sql or site.zip.
We use web scanners and dictionary lists to locate these hidden files. If they are publicly accessible, we can download the database structure, extract customer lists, and crack administrator password hashes offline.
Hardening your WordPress configuration
To secure your WordPress deployment on local hosting providers:
# Add to .htaccess to prevent directory indexing
Options -Indexes
# Block access to the configuration file
<Files wp-config.php>
order allow,deny
deny from all
</Files> - Enforce strict file permissions: Set directories to
755and files to644. Thewp-config.phpfile should be set to600or400. - Disable XML-RPC: Block access to
xmlrpc.phpto prevent brute-force login attempts. - Keep plugins updated: Automate updates for security plugins and form components.
Get your WordPress site audited
A compromised company website can damage your business reputation and spread malware to your customers. Simpa Labs will help you audit your server configuration, scan for exposed backups, and secure your database configurations.