Overview
While Git is an incredibly powerful tool for source code tracking and version control, if you accidentally upload the repository to your website then you may expose information which should be protected.
Tools such as GitJacker and GitHacker can automatically crawl a .git directory (eg https://<yourwebsite.com>/.git) then guess most of the filenames to rebuild the entire Git repository.
Repositories for platforms such as WordPress where you have your wp-config.php within the Git repository, a malicious actor will therefore have a copy and therefore access to your database credentials as well as other other sensitive information.
Prevention
Use Plesk for Git based deployment
Conetix uses Plesk because of the advanced features designed to make your life easier. One of these is automatic deployment via Git. This means, when you commit to your main branch, it can push the changes automatically to your website or web app. We have guides on the setup available:
Ensure the .git directory isn’t deployed
When using an existing Continuous Integration (CI) tool to deploy or simply transferring via FTP, the next best option is to ensure the .git directory isn’t uploaded at all.
As the most popular FTP client, FileZilla has a inbuilt filter functions which block .git automatically:
Users of CI tools for deployment will need to consult the support documentation of the various tools to check how a filter is implemented.
Explicitly block access to .git
As a last resort, if you can’t stop the .git directory being uploaded then the only alternative is to block access. To do this, you’ll need to edit your .htaccess file (or create if one doesn’t exist) and add the following:
# Block access to the .git directory and .gitignore etc
RewriteEngine on
RewriteRule ^(.*/)?\.git+ - [F,L]