Did you know that by default, the WordPress plugins folder is perfectly visible to anybody with an internet connection?
I don’t know what could be the use of such an information, but who am I to judge? I’m not a hacker after all.
Try to type in your browser http://www.yourdomain.com/wp-content/plugins and tell me what you think.
There are at least two ways of preventing this:
1. Create an empty index.html file and upload it in your plugins directory (tip sent by Pearl from Fresh-Perspectives.net, who also told me about this issue. More tips on WordPress security are available via Online Tech Tips). A very nice implementation of this solution can be seen at JohnCow.com.
2. In your ftp program, change permissions to the plugins folder from 0755 to 0750, thus denying public to be able to read your files. By doing this, curious readers will be shown your 404 page. If you use FireFTP, right-click on the folder, then select Properties, then change the figure in the next window and press OK.
Later update: following Jeff’s comment, I’d like to make an additional note: change only the permissions for the folder itself, not for its content. Otherwise, some of your plugins may not work properly anymore.
One-day-after update: one of our loyal readers, LGR, pointed to a third solution, which is by far the most elegant of all: Disable Indexes using .htaccess. Add a line to your .htaccess file: Option -Indexes, thus preventing browsing folders which don’t have an index file.
Can you guess whose plugins I’ve just seen before writing this post?
18 Comments
Interesting. I’ve now added an index.html which automatically redirects to the homepage. Changing the permissions to 750 actually broke some of my plugins.
Thanks Jeff. I changed permissions and my plugins are still OK (at least at first sight
)
I’ve gone ahead and added my index.html to my WP-Content/Themes folder as well.
okay I need help
I am not able to change permissions to this folder… I see the box but it wont let me type over! am i missing something? i feel so dumb!
Instead of creating orphaned index.html files it is much easier to add one line in a .htaccess file in the root folder to prevent disable Apaches from returning the default index in the first place. This one line:
Options -Indexes
will stop everyone from browsing all the folders that don’t have an index.html file. I talk more about it on my blog here: Disable Indexes using .htaccess
I wasn’t able to change permissions to plugins folder so tried adding Options -Indexes and there is a warning at the top of the file saying I am not using utf-8 language file and saving data in utf-8 will give errors! Now I am completely frustrated
none of the options seems to be working for me! Im going to try their live support!
I protected my WP plugins folder a short while ago after reading Lucia’s post on the same subject at
http://money.bigbucksblogger.com/two-ways-hide-your-secrets-from-google-and-everyone-else/
which also suggested the far neater .htaccess solution outlined by LGR above. If you are making good use of your error pages it’s even better
LGR, thank you, yours is by far the most elegant solution. And we can take advantage of the error page, as Maurice suggests
Pearl, in FireFTP, in that screen where you are supposed to change the figures, you can un-tick the options “read” and “execute” in the Public group.
No problem. I hope it helps people. It also logs the request as an error so people have a better idea who might be poking around. That can always be useful, because often it is the spammers snooping for a hole.
Yes, LGR, this discussion surely helped me in realizing that we should pay more attention to security.
Awesome. I was wondering about how to do that. I used the index.html thing and got an error in my dashboard, so I think I’ll try the permissions change.
Hi Jenny, you can also try the solution suggested by LGR in the comments here. It’s the best one.
Awesome. Came across this from Jeffro’s site (http://www.jeffro2pt0.com).
Very useful, since you never know.
Thanks for the heads up!
You are welcome, Mike, I’m glad you found this useful.
I had no idea that my plugins were showing! Thanks for the warning and the solutions.
Ha, ha! You are welcome, Misha.
I forgot about indexes on my site and have it now sorted.
Heres an alternative solution that you can do if you use Cpanel go to Index Manager and then click on public_html and set it to the No indexes option.
You will now be shown a 404 which you can customize if anyone trys to access a directory without an index page.
Hey, Get Camping, thanks for the tip. Too bad Dreamhost doesn’t have cPanel, they use their own software, which is quite different from cPanel. I’ll take a look to see if it works.
2 Trackbacks
[...] Hey WordPress Blogger, I Can See Your Plugins! – Simonne [...]
[...] Deny Access to Other Folders – Many web hosting by default allow people to browse a folder if there is no default index.html file. This can be a security concern for folders like your WordPress plugins folder. You can prevent people from snooping in these folders by adding blank index.html files or setting up an htaccess file to prevent browsing of folders without indexes. You can read more on All Tips and Tricks. [...]