/ whiteweb.security _
whiteweb.security / guides / Vim .swp exposed
.swp / .swo High severity ~6 min read

My Vim swap file got exposed with credentials. What should I do?

Vim silently creates a swap file every time you open a file for editing. If you edit a config file in your web root and a crash or logout leaves the .swp file behind, it's publicly readable — and it contains a near-complete copy of the file you were editing, passwords included.

First: rotate the credentials that were in the file being edited.

The swap file typically contains the full content of whatever you were editing when the Vim session ended unexpectedly. If that file held a database password or API key, treat that secret as compromised. Delete the swap file and change the credentials — in that order.

// the 60-second version

  • Delete the .swp file from the web root immediately.
  • Rotate every credential visible in the file that was being edited.
  • Search the web root for other stray swap files (.swp, .swo, .swn).
  • Configure Vim to store swap files outside the web root and deny *.swp at the web server.

01Understand what a Vim swap file contains

When you open a file in Vim, it immediately creates a swap file in the same directory, named with a leading dot and a .swp extension. For example, editing config.php creates .config.php.swp. This swap file:

  • Starts with the magic bytes b0VIM followed by the Vim version — trivially recognisable as a Vim swap file.
  • Stores the full contents of the file at the time of the last write, plus any unsaved changes in 4 KB blocks.
  • Includes metadata: the original file path, the username of the editor, the hostname, and the process ID of the Vim session.

If the Vim process exits cleanly, the swap file is deleted. But if the SSH session drops, the terminal is closed abruptly, or the server reboots — the swap file stays. Attackers and automated scanners routinely probe for swap files by requesting common filenames like /.env.swp, /.config.php.swp, and /index.php.swp.

The swap file reveals what you were editing. Even if the original file is not publicly accessible, the swap file may contain its full contents — including any passwords, tokens, or keys present at the time of editing.

02Delete the swap file

First, confirm the file is gone from the server, then verify it's no longer accessible from the web. Swap files can also appear with extensions .swo and .swn if multiple sessions were open.

find and delete swap files in the web rootbash
# find all Vim swap files under your web root
find /var/www/html -name "*.swp" -o -name "*.swo" -o -name "*.swn"

# delete the specific file
rm /var/www/html/.config.php.swp

# verify it's gone
ls -la /var/www/html/.*.sw*

After deleting, request the URL from outside your network to confirm you get a 404, not the file contents.

03Rotate every exposed credential

Recover the content of the swap file to understand what was in it, then rotate those credentials. You can read a swap file without opening it in Vim:

recover content from a swap filebash
# recover the file content from the swap file
vim -r .config.php.swp -c "w /tmp/recovered.txt" -c "q"

# or use strings to extract readable text
strings .config.php.swp | grep -E "(password|secret|key|token|api)" -i

For every credential visible in that recovered content:

  1. Database passwords — change the password for that DB user immediately. If the DB was network-accessible, also check connection logs.
  2. API keys and tokens — revoke in the provider's dashboard and generate a replacement. Don't just update the file; revoke the old key explicitly.
  3. App secrets and signing keys — regenerate them; this will invalidate existing sessions and tokens.

04Find other swap files in the web root

Where there's one swap file, there are often others. Developers edit multiple files in a web root over time. Run a thorough scan:

comprehensive swap file huntbash
# all Vim swap files, recursively
find /var/www -name ".*.sw[ponmlkj]" -type f 2>/dev/null

# also check for emacs backup files while you're here
find /var/www -name "*~" -o -name "#*#" 2>/dev/null

For each file found: determine what original file it corresponds to, recover the content, rotate any credentials inside, and delete the swap file.

05Prevent swap files from landing in the web root

There are two complementary approaches: configure Vim to store swap files elsewhere, and configure your web server to refuse to serve them even if they appear.

redirect swap files to a safe directory~/.vimrc
" Store swap files in ~/.vim/swap instead of alongside the edited file set directory=~/.vim/swap//,/tmp// " Create the directory if it doesn't exist silent !mkdir -p ~/.vim/swap
deny swap files at nginx/etc/nginx/sites-enabled/…
location ~ \.(swp|swo|swn|bak|orig|save)$ {
    deny all;
    return 404;
}

Also add *.swp to your .gitignore so that any swap file accidentally left behind in the project directory can never be committed to the repository and deployed from there.

The safest practice is to never edit config files in the web root directly. Edit them in a staging area or through a secrets manager, then deploy. This eliminates the swap file risk entirely.

Was this guide useful?

These playbooks are free to read and share. If a heads-up ever saved you a bad week, you can say thanks — or jump into the other guides.

More guides Buy me a coffee ☕

// related guides

.env
My .env file got exposed. What should I do?
 config.php
My PHP configuration file got exposed. What should I do?