Secure File Storage in Web Hosting

Secure File Storage in Web Hosting: What Does Not Belong in public_html

In many cPanel accounts, the public_html folder is the public web directory for your main domain. Files located there may be accessible via a browser, depending on the configuration. This is precisely why it is important to store only the files there that are actually needed for your website.

Many security issues arise because sensitive files are accidentally saved in the publicly accessible area: database exports, ZIP backups, configuration files, old website copies, or temporary files. Such files can contain confidential information and should not lie unprotected in the web directory.

Why public_html Is Particularly Sensitive

The purpose of public_html is the public delivery of website files. HTML files, images, CSS, JavaScript, or PHP applications generally belong there. Backups, internal documents, database exports, and configuration files containing access credentials, however, do not belong in this area permanently.

Even if a file is not directly linked, it may be accessible under certain circumstances if the filename is known or guessed. Simple names are particularly problematic, such as:

• backup.zip
• database.sql
• website-old.zip
• dump.sql
• config.php.bak
• .env

These Files Should Not Be in public_html

Storing Backups Securely

Backups are important, but they should not lie permanently in the publicly accessible website folder. A full ZIP backup can contain source code, configuration files, uploads, and sometimes database exports.

Recommended process:

1. Create backup.
2. Download backup to your local computer.
3. Store backup additionally in a secure location.
4. Remove the backup file from the web server when it is no longer needed there.

If you must keep backups on the server, they should ideally be located outside the public web directory and not be directly accessible via browser.

Protecting Database Exports Particularly Well

Files with the extension .sql often contain complete database exports. In CMS or shop systems, they can contain page content, user information, email addresses, settings, or other confidential data.

Removing Old Installations

Old website versions, test installations, and development folders are not just storage hogs but also security risks. Outdated CMS versions, plugins, or themes can contain known security vulnerabilities.

Regularly check folders such as:

• old
• backup
• test
• dev
• staging
• wordpress-alt

If these installations are no longer needed, back them up locally if necessary and remove them from the server.

Blocking Access via .htaccess?

In some cases, access to certain file types can be additionally blocked via .htaccess. This can be useful, but it does not replace clean file storage.

<FilesMatch "\.(sql|bak|old|zip|tar|gz|env)$">
    Require all denied
</FilesMatch>

This rule can block direct access to certain file extensions. Nevertheless, such files should not be kept permanently in the public web directory at all.

Best Practices

• Store only publicly needed website files in public_html.
• Remove old ZIP and backup files after downloading.
• Do not store database exports permanently in the web directory.
• Do not keep access credentials and configuration files publicly accessible.
• Remove old test installations.
• Regularly check for large and unusual files.
• Use access protection only as a supplement, not as a replacement for secure storage.