Skip to main content
Security Hub

What Attackers Look For

And What Most Sites Get Wrong

Based on real-world attack patterns and eligible aggregate observations from production websites. Every attack category below is actively exploited in the wild.

Secret Files

CRITICAL

What Attackers Look For

Automated scanners probe /.env, /.env.local, /.env.production on every public website. A single exposed file can leak database credentials, API keys, and payment secrets.

Why It's Dangerous

One leaked .env file means full database access, payment fraud, email impersonation. Attackers sell these credentials on dark web markets within hours.

How To Protect

  • - Never deploy .env files to production
  • - Use your hosting platform's environment variable system
  • - Add .env* to .gitignore and .dockerignore
  • - Scan your live site to verify

Source Code Exposure

HIGH

What Attackers Look For

Attackers request /.git/config, /.git/HEAD, and /.gitignore to detect exposed Git repositories. A misconfigured server can serve your entire source code history.

Why It's Dangerous

Source code reveals business logic, internal API endpoints, hardcoded tokens, and security weaknesses. Attackers reverse-engineer authentication flows and find injection points.

How To Protect

  • - Block /.git/* paths in your web server config
  • - Use a CDN or hosting platform that doesn't serve dotfiles
  • - Verify with a curl request to yourdomain.com/.git/config

GraphQL Introspection

HIGH

What Attackers Look For

Attackers send introspection queries to /graphql and /graphql/v1 to map your entire API schema - every query, mutation, type, and field.

Why It's Dangerous

An open introspection endpoint is like publishing your entire API documentation to attackers. They discover admin mutations, sensitive fields, and unprotected queries.

How To Protect

  • - Disable introspection in production (introspection: false)
  • - Use allowlists for permitted queries
  • - Implement field-level authorization on sensitive resolvers

Legacy Admin Panels

MEDIUM

What Attackers Look For

Scanners check for /phpmyadmin, /wp-admin, /wp-login.php, /admin.php - common paths from WordPress, PHP, and legacy frameworks.

Why It's Dangerous

Even if you don't use WordPress, a default installation or forgotten admin panel gives attackers direct database access or CMS control.

How To Protect

  • - Remove unused software completely
  • - If you need admin panels, put them behind VPN or IP allowlist
  • - Use non-standard paths and enforce MFA

Cloud Credentials

CRITICAL

What Attackers Look For

Attackers probe /.aws/credentials, /server-status, /server-info to find cloud provider credentials and server diagnostics.

Why It's Dangerous

AWS/GCP/Azure credentials give attackers access to your entire cloud infrastructure - databases, storage, compute. Server status pages reveal internal architecture.

How To Protect

  • - Never store cloud credentials in web-accessible directories
  • - Disable Apache mod_status and mod_info
  • - Use IAM roles instead of static credentials
  • - Rotate keys regularly

Bot Form Attacks

MEDIUM

What Attackers Look For

Automated bots target login and signup forms with credential stuffing (testing leaked password lists) and registration spam (creating fake accounts at scale).

Why It's Dangerous

Credential stuffing succeeds because users reuse passwords. A single match gives attackers access to the account and any linked payment methods or personal data.

How To Protect

  • - Implement rate limiting on auth endpoints (max 5 attempts/minute)
  • - Add CAPTCHA after failed attempts
  • - Use honeypot hidden fields
  • - Enforce strong passwords and offer MFA

Real-World Scan Data

Anonymized, conclusive observations from the eligible research population

64%
Without CSP
completed CSP scans · n=473
91%
Without DNSSEC
completed DNS scans · n=473
30%
Without API Rate Limiting
authoritative public API probes · n=69
47%
Without DMARC
completed DNS scans · n=473

Methodology: percentages use the latest eligible scan per deployment domain and only conclusive scanner observations. Unknown or blocked checks are excluded from each metric's denominator.

Security Score Distribution

40-49
51
60-69
56
70-79
60
80-89
158
90-100
125

Score ranges from 0 (worst) to 100 (best)

Security by Tech Stack

Modern Stack

Vercel, Netlify, React, Next.js

204
Sites
81
Avg Score
0.7
Avg Crit+High

Legacy Stack

WordPress, Magento, PHP

125
Sites
74
Avg Score
1.5
Avg Crit+High

Classification methodology: AI Platforms are detected via deterministic builder fingerprints (hostname patterns and HTML/header markers). Modern Stack covers JS-era frameworks and hosting (Next.js, React, Vercel, Netlify) that could be AI-assisted or hand-built. Legacy Stack covers traditional platforms (WordPress, PHP, Magento). One row per domain (latest scan), demo and unclassifiable sites excluded, buckets under 30 sites hidden.

Check Your Site

Find out if your site is vulnerable to these attack patterns. Free scan, no signup required.

Scan Now

Security Guide

Step-by-step security checklist for developers building with AI tools and modern frameworks.

Read Guide