The 'install.php' and 'update.php' files in a Drupal website can pose significant security risks if they remain accessible after the initial setup. These files are crucial during the installation and update processes of Drupal, but they contain sensitive information and functionalities that should not be accessible to unauthorized individuals once the website is up and running.
To address this issue, we will restrict access to these files. Specifically, we will enact appropriate entries in either the Apache web server configuration or the htaccess file, effectively limiting accessibility.
To restrict Access To 'install.php' Or 'update.php' Files In Drupal, you have two options:
- Add this configuration to your Apache virtual host configuration:
RedirectMatch 403 "/(install|update).php"
- Or add those lines to your .htaccess file
# Protect files and directories from prying eyes. <FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config)$|cron\.php|install\.php|update\.php|^(CHANGELOG|COPYRIGHT|INSTALL.*|LICENSE|MAINTAINERS|README|UPDATE).txt$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$"> order deny,allow deny from all </FilesMatch>
And that's it you are done now all sensitive files / directories are not accessible for example https://exemple.com/update.php now returns 403 response.