I have a php file on my site that serves as a template for a single page of the site, inside this file there is only HTML code, it has no php <?php ?> tag, nor anything. It's like an html file, but with the .php extension
My question is this: If I leave the file as is, will I make the site vulnerable to attack?
This by itself does not leave you vulnerable, but if it is a static file you can leave it as static, it only makes sense to leave PHP together with HTML when you need to render HTML on the server. Serving the file as static also avoids unnecessary PHP engine calling for script interpretation.
Just by complementing: What makes you vulnerable or not is the security settings of your server, not whether the file extension is .html or .php. The problem would be you run a .php file with malicious code.
Hugs!
Rename to .html by preventing PHP from starting the parse process!
As for security, no, because as you yourself said there is no PHP code, be it vulnerable or not!
There are two factors that imply this question:
1) The site following a standardization of programming, it is good to follow the extension .php .
2) The page and / or site may be vulnerable even with or without the .php extension. This does not interfere with security, but rather how it goes to the user screen, if For example, if you have malicious code, it will be vulnerable because the server sends you output .html .
Own experience, if it is PHP follow the same extension for all pages.
The vulnerability of an HTML file is the same as in a PHP file.
In your case, you are dealing with "non-confidential" information that could be viewed for "viewing the source code." (ie, the vulnerability issue is irrelevant)
Your concern for vulnerability should be only with: how strong your passwords are and how secure the server is where the site is hosted.
Otherwise, do not worry about the file extension.
If the file only contains the template, with no associated password, there is no vulnerability, since a file without confidential data and that does not have permission to write to it and / or the directory is like an image or something type. If you want to protect the directory to be accessed only by the site, you only have to set this rule in .htaccess in the folder.
PHP if configured within application/x-httpd-php can be executed with almost any extension. What could put at risk would be if in this configuration does not accept PHP inside HTML and put the PHP code on it, then yes it could display a password or some relevant data, but pure HTML there is no risk. >
