Watch Your WordPress Plugins Directory

Posted by

This is a expansion on marks article today on weblog tools collection:

Check this link See all the peoples wordpress directory’s that are open for public browsing? eek!

Why is this dangerous? Well when a exploit is found (its never if its always when) people can EASILY use Google to find who is running what plugin and exploit your server. Most of the plugins have not been gone over very well for security and I expect there are many out there that allow remote shell and various db exploits but just have not been uncovered yet.

Now who is at fault for this?

I blame #1 – you. You should have disabled public browsing of folders.

I blame #2 – WordPress. C’mon Matt just put a blank index.php file in the folder =P

I was first alerted about this by Bill Hartzer last month and I just simply made a blank index.php file in my WordPress directory.

BUT as you can see google has a really through index of my wordpress directorys (yes i failed rule #1)

So now

Here is how you disable it in .htaccess –

Options All -Indexes

Now this is not a major security flaw of wordpress or a huge security risk im not trying to make it sound like that… I just think a little work on your part(s) could potentially avoid a security issue.

67 thoughts on “Watch Your WordPress Plugins Directory

  1. nick

    What’s a person (hacker) going to do if they saw the index of someone’s directory? I mean, you really can’t hack the files themselves… just curious.

  2. Bill Hartzer

    Nick, there’s technically not a security issue when you leave your wordpress plugins open for everyone to see. I haven’t seen any cases yet of it being a security issue. But, a lot of people are really proud of which plugins they have installed, and some have a few custom plugins that are being used. Also, there’s an issue with revealing the plugins you’re using to help stop spam comments.

    Potentially, I could see someone figuring out which plugins you’re using to stop comment spam, for example, and using a script that gets around whatever you’re using to stop it.

  3. Erik

    I think what Shoe was saying if there is a plugin that turns out to have a security issue, you could use google to find sites that were using that plugin.

  4. Jayson Williams

    Thanks for bringing this up as I see what you are saying. They could come in through one of your plugins that has flaws and is new and hasnt had its bugs fixed. There are simple ways to prevent this but many people do not do them for whatever reason.

  5. How To Buy Websites

    Which directory exactly are you talking about? The plugins directory? or all of them?

  6. Pingback: Shoemoney talks about Protecting the Plugins directory of Wordpress

  7. Bill Hartzer

    How To Buy Websites, it’s the /wp-content/plugins folder.

    Erik, it’s not just the security issue that you mention…I actually don’t want anyone to see which plugins I’m running because some of them have to do with getting more traffic to the site, including RSS-related plugins and links plugins, etc. etc.

  8. TheHostHunter

    I wish it was an industry standard for web hosts to make all new accounts come with forbidden public indexes. People can just see way too much when people forget or don’t even know about this “feature”.

  9. Bill Hartzer

    TheHostHunter, if you’re having issues like this then it sounds like you need to get another web host. There are web hosts out there that will take care of you, you just need to find one.

    In this case, though, WordPress could actually put default index files in certain directories…just for this reason.

  10. Scot Smith

    Turns out MediaTemple is already on top of this. I didn’t realize but they deny access to any directory without an index page. Neat :) I don’t even have to edit my .htaccess.

  11. Pingback: Exploited Wordpress Plugins Directory » Sha Money Maker dot com

  12. Kn10

    This can be a security risk. Its not a “OMG PATCH UR SERVERS NOW!” risk. But it helps a potential hacker.

    How to try and hack a wordpress site in 3 simple steps:

    Step 1: Visit the plugins folder and view the plugins they are running.
    Step 2: Google for any exploits or try and compare old versions and new versions of security patches and see what they patched up for those particular plugins.
    Step 3: Attempt hack.

  13. TheHostHunter

    Yeah I have accounts where this was taken care of and others where it is not. Not a big deal for me as it’s something that I always check, but definitely one of those things I wish hosts would be smart enough and enable by default to make everyone’s life easier.

  14. nick

    yea those are some very valid points. I have heard about the possible security issues, but never knew exactly what they were.

  15. ritchie

    It’s enough to know which files are there, it’s best to put a redirecting (to homepage) index file into every directory you wann restrict access to.

  16. Pingback: Devil Works :: Wordpress Security Warning

  17. eTown Landlord

    rip off all kinds of content from mp3 to ringtones to resale ebooks. it never ceases to amaze me what you can find when searching the open indexes. It’s fun.

  18. A.J.

    eTown, you would not necessarily be able to download the plugins themselves. If the server is configured correctly, it should try to execute the plugin as a stand alone PHP file and would in most cases return an error. The biggest concern is that if a plugin is exploitable, Google gives those desiring to take advantage of it a list of sites that have that plugin in use. Think of it like putting yourself on a “hack me please” list.

  19. Pingback: Wordpress forgets to add blank index files in some folders. Add them to make your site more secure.

  20. Pingback: Is Your Blog Secure? » The Beef Jerky Blog

  21. Pingback: Wordpress Plugins Directory | Junyor & Company

  22. Bill Hartzer

    No, you cannot download the plugins themselves from that person’s install of WordPress. You can download or click on the file but it will try to execute the php file instead. You can get ahold of anything else like readme files and other files that might be in the folders, though.

    I personally am not as concerned over the security risk as the fact that I personally want to stop people from knowing what plugins I have running. Some of them are helping me get more links and others are custom plugins. I just don’t want people knowing which plugins I’m running…you may not care.

  23. Pingback: This Week In SEO - 7/6/07 - TheVanBlog

  24. Pingback: Protect your wordpress Plugins directory | Paradise Philippines - My Online Web Journey

  25. Pingback: How To Secure Your WordPress Blog Folder?

  26. SEO Reloaded

    It is always a good idea to secure your WordPress Blog Folder, just like it should be done for images folder. Many people don’t put an ‘Access Denied’ on their images and files folders which is not a good habit.

  27. Modern Worker

    Yikes, I just found this post and am gonna be getting all over htaccess asap. Security is something that needs to be better improved upon, I agree. Matt’s reactions to things lately have been, well, odd.

  28. Pingback: Can anyone view your WordPress plugins?

  29. Pingback: Can anyone view your WordPress plugins? | The Digital Security Report

  30. Pingback: Three tips to protect your WordPress installation

  31. Pingback: AllIPTech » Blog Archive » Three tips to protect your WordPress installation

  32. Pingback: Matt Cutts: Three tips to protect your WordPress installation «

  33. Pingback: Matt Cutts: Three tips to protect your WordPress installation at

  34. Pingback: Secure your Wordpress Instalation

  35. Pingback: Daha güvenli bir wordpress için » Tekil Yazı » Kenan Hûdabi

  36. Pingback: güvenli wordpress için

  37. Pingback: Teknoloji Haberleri » Blog Archive » güvenli wordpress için

  38. Emil Nasarenko

    I need help. I am trying to install some plugins for my wp site. everything tells me to upload to my wp-contents/plugins folder. I have found this but how do i upload to it. I am not a computer literate as i would like to be so please consider me as a dummy.

  39. Pingback: 保护WordPress安装的三个小贴士 - Riks blog

  40. Pingback: How To Disable Directory Browsing On Your Wordpress Blog Easily | Make Money Online Philippines |

  41. Pingback: » Güvenli wordpress için Bunudamı duymadın? Araç Bilgisayar Bilim Donanım Fragmanlar Genel Komedi Magazin Müzik Mobil Oyunlar Son Dakika Spor Teknoloji Uzay Video Yazılım İnternet Yeni teknolojiler Yeni telefonlar yeni haberl

  42. Pingback: Güvenli Wordpress İçin | Wordpress Dünyası | 2009 | @ Bir proje ödevi | Hoşgeldiniz…

  43. Pingback: WordPress installatie beschermen « Flanux [We]Blog

  44. Pingback: 保护WordPress安装的三个小贴士 - 章佳元博客-关注网络应用、电子商务、网站运营、网络编程的原创IT博客

  45. Pingback: WordPress Security: Secure WordPress Installations

Comments are closed.