Restrict access to core files like install.php


If somebody key ins a link like https://www.example.com/core install.php in their web browser on a functional Drupal web site, they will obtain a web page claiming “Drupal currently mounted” and also they will certainly undoubtedly see what variation of Drupal is mounted.

This is just how this occurs to be made. I do not regard this as a susceptability. If you assume it is, you might attempt to submit a demand in the core problem line where you make an instance for obtaining this details gotten rid of from the web page.

Nevertheless, if you wish to limit accessibility to webserver to any kind of data in core, simply alter the consents little the data in the filesystem to reject the internet server READ accessibility to the data.

Obviously, if you do this, and also the data is in fact called for for the website to run, this will certainly likewise damage your website.

It is most likely okay do this with / core/install. php after you have actually mounted Drupal, because this data is not required yet factor, however making use of the consent little bits is not truly a basic remedy to the concern you ask, and also I do not assume this is the proper way to do it.