@RushVan said

Just adding 2cents but wouldn't using Forge help the folks struggling with proper deployment of a Laravel app?

Let's put it this way, an electrician goes through a 4 year apprenticeship. A newbie installs laravel and expects to program a site with no prior web, php, html, css training.

So answer, TRAINING will help, nothing else.

Hi, My Laravel website is continuously getting hacked, i made .env, app,.htaccess etc everything hidden, but the hacker created .htaccess.x and all files like .env, app are again accessible on url.

I dont know how can somebody create files on hosting server and make those files visible, the entire website has some script with each folder name with a prefix of first letter of the folder name.

hacker created robot.txt, .htaccess.x, ee43cd, site_map.xml kind of files and inserted ASCII text kind of codes in them. index.php is effected too. I dont know how to stop these attacks, anybody faced a smart hacker like that and made their website secure...? Laravel suppose to be secure framework but this makes it very unsecure.

this is his code --

robots.txt —

User-agent: * Disallow: Sitemap:http://websiteurl.com/site_map.xml

junk files code --

@jai6150 Like others have said: the domain should point to the public directory and nothing above said directory should be made available or even uploaded to any sort of public directory (hidden or not). It could also be that your application is vulnerable to things like path traversal attacks, XSS, etc. due to the way it's coded or perhaps the server is not properly configured or protected.

It's impossible to tell without fully knowing your project, its code and its setup. Regardless, these things are not specific to the Laravel framework itself and any framework will be vulnerable when used incorrectly.

Learn about common OWASP vulnerabilities and how to protect against them: https://www.cloudflare.com/learning/security/threats/owasp-top-10/

Edit: you may also want to create a new thread for this as each case is different