How to hide source code from public view

How to hide source code from public view in php, and with javascript.

I have seen many CMS and other website that source is hidden from public
view, like wordpress config.php, whmcs configuration.php, and more
files are hidden, but inside it have code but when we check in browser
view source it display none.

How to do like this in php and or with javascript.

PHP code is processed server side - it has no view-source.
*however, sensitive files should be outside the root so if the engine goes down they can’t be viewed as plain text,

ASP is compiled server side - it has now view-source

JavaScript can be obfuscated and minified, but IMHO it isn’t worth the bother

I need to make hide sour0ce of particular div with contain javascript with jquery. i need to hide that from public view in source code

Can’t be done.

This best you can do is obfuscate and minify the JavaScript…

But if someone is determined enough they can go through the trouble to see it in it’s orignal form.

Nothing personal, but believe me, as special as you may think your code is, it is almost assuredly not that special.

You can’t do that. You can only make it less readable with obfuscation as @Mittineague said. Use this service for example.

But how wordpress and other big cms hiding code from public view like config.php, install.php, license.php and more files are hidden

config doesn’t produce any output. (well, except maybe whitespace)
install is in the admin folder so you need to be logged in as Admin.
license .txt is not meant to be hidden, it is the
If you don’t see it, it may have been deleted.

PHP is a server-side technology, PHP source code stored and executed on the server, so in browser you can see only results produced by that code. But HTML and JS are client-side technologies. That means HTML and JS source code stored and executed in browser, so you can see it.

I don’t know what you mean by hiding the file. In WordPress, it is a security measure that you don’t install your files in a folder that’s called “blog” or “wp” or “wordpress” because you’d be making a bit easier for a hacker to get into your WordPress installation. So you can ofuscate your installation by renaming the main folder where WordPress installs to something crazy like “Ilovedoingmyblogging” and then use your .htaccess file so the url doesn’t shows the name of the folder.

Is this what you’re talking about?

I understand. Is any way to hide my source code of html or php, or anyways to make it difficult so normal user cannot understand that.

As people have said above, there’s no need to find a way to hide your PHP code because end users will never see it. It’s executed on the server, not in the browser, so all the user sees is the result of your echo() statements.

1 Like

Yes, the only sure way is to
Not put it online

1 Like

Even that isn’t 100% certain. If it is on a computer then it is potentially accessible.

I think OP is talking about encoding it with eval or unescape so that the source code itself is in Javascript making it a little harder for someone to read unless they know to decode it using eval or unescape. I’ve seen a few source codes that do that, but they actually use other encodes as well which makes it more difficult to read.

In this case, it’s not a PHP problem, but it’s a Javascript problem.

A two line JavaScript can easily convert anything like that back into readable text. The Netscape 6 browser did it automatically without even needing the two lines of JavaScript. With a userscript you can have your browser add a “source” link to all web pages that will provide you with the actual HTML and CSS that the browser is using to display the page regardless of what obfuscation was used to send it to the browser.

Developer tools (now available in all modern browsers) can also allow you to see the unobfuscated content of the page

There is nothing that you can do to the HTML or CSS in a public web page that will block anyone from being able to read the unobfuscated source unless they don’t have JavaScript available in which case they will not be able to view the page at all. Browsers provide multiple waus to unobfuscate any HTML or CSS regardless of how it was loaded into the browser from the server.

This is not a JavaScript problem - is is a web page owner problem - trying to do something that can’t be done on the web.

Yes, (topic moved)

@Rajeevrrs Why the interest in “hiding”?

The usual reasons are because the author thinks they have something special or they are up to no good.
What’s your reason for such interest?

If you are looking for script-kiddie hacking help here, you’re in the wrong forum.

Right. I never knew that. Pretty interesting then. I just thought it was some sort of technique that people use because on one site, the Javascript looks broken up. Then encoded with some sort of number because when I tried to decode it, the numbers meant a certain letter. It was a mix match of like unescape and some other encoding because it didn’t make any sense.

I think i read somewhere before… if your hosting support “cloudflare”, that company have an app that can protect source code. Maybe you can do little research about it. Hopefully you’ll find what you’re looking for. Thanks

Only server side code can be protected - anything loaded into the browser can be decoded using the browser - if it can’t then the browser will be unable to display it.

I would say if it exists then it is potentially accessible.

1 Like