Is the .env file required to run the CMS?


Hello everyone. I just started using SilverStripe and need some help from people who know a little more than I do. When I installed it, I noticed that in the .env file, both the admin’s credentials and the database credentials are exposed.

By this I mean that any person who has gained access to the web server also has all the login credentials.
Maybe I have a mistake in my thinking process but with such a security gap I can never publish a website under SilverStripe.


The admin credentials shouldn’t be stored in the .env file ideally, they would usually be stored in the database. Once you have the CMS up and running, you should create some admin users (their details are encrypted in the database) and remove the default details from the env.

The database connection details are stored in the env file, yes. This is quite normal for any web application, not just Silverstripe. Some store them in a PHP file, some in XML, some in the environment. Without these connection details the site wouldn’t be able to work.

You can avoid using the .env file if you set the relevant values in the server environment (in the host configuration for example). But they do need to live somewhere.

The most important sentence is this:

This is completely true, but again, it’s not a Silverstripe-specific thing. Whatever code you are using, if someone has access to the files on your webserver, then they can do bad things. (Not just gaining access, but installing malicious code, etc. too). You should be extremely careful about securing access to your websites files.

I see, thank you very much.