Site Exposure Scanner

Probe a website for exposed config files, backup dumps, admin panels, and missing security headers — ~120 checks attackers run every day.

Login to run
Authorised use only. Only scan websites you own or have explicit written permission to test. Unauthorised scanning may violate computer fraud laws.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What does this tool check?

The scanner probes ~120 common paths across 8 categories: environment and secret files (.env, .htpasswd), source control (.git/config, .svn/), backup and database dumps, PHP config files, WordPress-specific files, other CMS and frameworks (Laravel, Drupal, Joomla, CodeIgniter, Symfony), admin panels (phpMyAdmin, Adminer, phpinfo), and HTTP security headers.

Is this the same thing attackers do?

Yes — this is exactly the same list of paths that automated vulnerability scanners probe millions of sites for every day. Running it against your own site lets you find and fix exposures before attackers find them.

What does each severity mean?

Critical — exposed file almost certainly contains credentials or private keys that should be rotated immediately. High — confirmed sensitive exposure that needs remediation. Warning — file may be sensitive or path exists but content was inconclusive; verify manually. OK — not found (expected).

Why does a 403 appear as a warning?

A 403 Forbidden response means the file or path exists on the server but the web server is blocking access to it. While that's better than a 200, it's not the same as the file being absent. Confirm the restriction is intentional and consider removing the file entirely.

Can I use this on sites I don't own?

No. Only scan sites you own or have explicit written permission to test. Scanning third-party sites without authorisation may violate computer fraud laws in your jurisdiction. This tool requires a logged-in account specifically to discourage misuse.

What should I do if a Critical issue is found?

1. Remove the exposed file from the web root immediately. 2. Rotate any credentials that may have been visible (API keys, database passwords, secret keys). 3. Check your server access logs to see if the file was accessed before you found it. 4. Add the path to your .gitignore / deploy config so it cannot be accidentally published again.