When people hear "data leak," they imagine sophisticated hackers breaking through firewalls. The reality is much more mundane — and much more common. Most data leaks on small business websites happen because files that should be private are accidentally left publicly accessible. No hacking required. Anyone who knows what to look for can find them.
The most common exposed files
.env files
The .env file is where developers store sensitive configuration: database passwords, API keys, email credentials, and payment processor secrets. It should never be accessible from the web, but it often is. If someone can visit yoursite.com/.env and see its contents, they have the keys to your entire operation.
Attackers use automated scanners that check thousands of websites per hour for exposed .env files. If yours is accessible, it's not a matter of if — it's a matter of when.
.git directories
If your website was built with Git (a code management tool) and the .git/ folder wasn't removed before deployment, your entire source code history is publicly available. This includes every file, every change, and potentially passwords or API keys that were committed at any point — even if they were later removed.
An attacker who finds an exposed .git/ folder can reconstruct your entire codebase and search through the history for credentials.
Database backups
Files like database.sql, backup.sql, or db_dump.sql sitting in your web root contain your entire database — customer information, user accounts, potentially payment data. Developers sometimes create backups and forget to delete them or move them out of the public directory.
Configuration backups
Files like wp-config.php.bak, wp-config.php.old, or config.php~ are backup copies of configuration files that contain database credentials. The original .php file is processed by the server and hidden, but backup copies with different extensions are served as plain text — exposing everything inside.
Admin panels and debug pages
URLs like /admin, /phpmyadmin, /debug, or /server-info can expose administrative interfaces or server details. Some of these may not require authentication or use default passwords.
How attackers find these files
Attackers don't manually check websites one by one. They use automated tools that scan millions of sites for known file patterns. The most common approach is simple: try a list of 50-100 common sensitive file paths on every site. If any return a 200 response, the site is vulnerable.
This isn't targeted — it's opportunistic. Your small business isn't being singled out. The bots don't care who you are. They check everyone.
How to check your site
Try visiting these URLs on your own site (replace with your domain):
yoursite.com/.envyoursite.com/.git/configyoursite.com/wp-config.php.bakyoursite.com/backup.sql
If any of these load content instead of a 404 error, you have an exposed file that needs to be blocked immediately. Antileak checks for over 20 commonly exposed file types automatically in every scan.
How to fix exposed files
Immediate step: Delete or move the file outside your web root. If it's a .env file that needs to stay, block access via your server configuration.
For Apache (.htaccess): Add rules to deny access to sensitive files. Block patterns like .env, .git, *.sql, and *.bak.
For Nginx: Add location blocks that return 403 for sensitive file patterns.
After fixing: If any credentials were exposed, assume they've been compromised. Change all database passwords, API keys, and email credentials immediately. This is not optional — if the file was public for any amount of time, treat the credentials as stolen.
Prevention is key. Set up server rules to block sensitive files by default, and add exposed-file checks to your deployment process. Antileak's ongoing monitoring catches new exposures as soon as they appear — before attackers find them. Learn more in our security guide.
The real cost of a data leak
Beyond the immediate cleanup, a data leak can result in Google flagging your site as dangerous, lost customer trust, regulatory fines (if personal data was exposed), and the cost of a security consultant to audit and remediate. For small businesses, this typically runs $1,000-10,000. Prevention — blocking a few file paths — costs nothing and takes 10 minutes.
Check your website health score to see if your site has any exposed files right now.