I’m embarassed to say that I actually knew this tip a while ago, but never got around to implementing it until I read about it *again* today. Embarassed because this blog has been hacked a few times, and in a fairly devious fashion as well, sometimes perhaps because of an old Wordpress installation — or, perhaps because of insecure folders (which makes me think someone behind Wordpress should really fix it).
What’s this tip? Oh, a simple fix to get around securing your Plugins folder.
If you’re running Wordpress, unless you’ve already locked down your Wp-content folder with some .htaccess fixes, you may not notice that your Wp-content/plugins folder is naked and bare to the world. That is, navigate to http://www.yourblogname.com/wp-content/plugins and you may find a directory listing of your plugins folder, files and all. How do you fix it? Easy. Just upload an empty index.html into the wp-content/plugins folder and its all fixed.
Just out of curiosity, I decided to check the plugins folders of some other bloggers that I knew — whole some did have this fixed, a surprising number did *not*.
If you haven’t locked down your plugins folder, please do so, because for many people its showing, and its just about as easy to fix as doing up your zipper.
6 Comments
Pardon the newbie question, but what can a person actually do with access to a list of your plugins? Is this a dangerous breech or, to use your metaphor, more like having your zipper down? If it is a dangerous breech, should we be doing this with all our folders (or, at least those without existing index pages, that is)?
Ouch! I did NOT realize this! I put a simple redirect in a meta tag on the index.html page I just put up. Why is this not handled by WordPress gracefully?
Also, must it be a blank index page, or can one leave a snarky message for directory surfers? :-D
I would not recommend allowing others to browse your directories in the first place. If you turn off directory browsing, visitors will get a 403 error on any directory that doesn’t have an index page.
Soni: Of course you can leave a snarky message! It just needs to be ANY page called index.[php or html or htm ...] so that you can’t browse inside the directory.
Its not enough. If I know that a certain plugin has a security issue,i can simply write down the URL to that plugin. If I get anything else other than 403 than i know you have that plugin, and I can start working on it.
hey i have amajor problem. i saw on a screen shot from a wordpress admistration screenthat there was a PLUGGINS tab . i dont c dat in my adminstration screen. how can i get dat PLUGINS tab on mines?
is dere som1 dat can do dat 4 me ?? any1??
8 Trackbacks
[...] Deep Jive Interests wrote an interesting post today on How’s Your Wp-Content/Plugins Folder Doing? Secure? Are You Sure?Here’s a quick excerpt I’m embarassed to say that I actually knew this tip a while ago, but never got around to implementing it until I read about it *again* today. Embarassed because this blog has been hacked a few times, and in a fairly devious fashion as well, sometimes perhaps because of an old Wordpress installation — or, perhaps because of insecure folders (which makes me think someone behind Wordpress should really fix it). What’s this tip? Oh, a simple fix to get around securing your Plugins folder. If yo [...]
[...] Tony Hung over on Deep Jive has an important post on securing your Wordpress plugins directory. As it stands out of the box, the plugins directory is not protected and can easily be directory browsed. Considering you could be running an insecure plugin, having the directory open to browsing is not a great idea. [...]
[...] Deep Jive Interests wrote an interesting post today on How’s Your Wp-Content/Plugins Folder Doing? Secure? Are You Sure?Here’s a quick excerpt I’m embarassed to say that I actually knew this tip a while ago, but never got around to implementing it until I read about it *again* today. Embarassed because this blog has been hacked a few times, and in a fairly devious fashion as well, sometimes perhaps because of an old Wordpress installation — or, perhaps because of insecure folders (which makes me think someone behind Wordpress should really fix it). What’s this tip? Oh, a simple fix to get around securing your Plugins folder. If yo [...]
[...] bookmarks tagged surprising How’s Your Wp-Content/Plugins Folder Doing? Sec… saved by 1 others TuneBabyTenor bookmarked on 01/19/08 | [...]
[...] Tony Hung has a tremendous reminder / tip / must-do if you’re running a blog on Wordpress: If you’re running Wordpress, unless you’ve already locked down your Wp-content folder with some .htaccess fixes, you may not notice that your Wp-content/plugins folder is naked and bare to the world. That is, navigate to http://www.yourblogname.com/wp-content/plugins and you may find a directory listing of your plugins folder, files and all. How do you fix it? Easy. Just upload an empty index.html into the wp-content/plugins folder and its all fixed. [...]
[...] Deep Jive Interests » How’s Your Wp-Content/Plugins Folder Doing? Secure? Are You Sure? Are you running WordPress? If you are, be sure to read this post and do what it recommends. I didn’t realize how simple it was to read this directory on a blog by default (tags: wordpress security plugins) [...]
[...] here’s a cool post from Deep Jive Interests, where they say: If you’re running Wordpress, unless you’ve already locked down your Wp-content [...]
[...] Then make sure you add a blank index.html file to your plugins directory – it’s a security issue: http://www.deepjiveinterests.com/2008/01/19/hows-your-wp-contentplugins-folder-doing-secure-are-you-... [...]