Watch Your WordPress Plugins Directory

by Jeremy Schoemaker on July 3, 2007 · 67 comments

This is a expansion on marks article today on weblog tools collection:

Check this link See all the peoples wordpress directory’s that are open for public browsing? eek!

Why is this dangerous? Well when a exploit is found (its never if its always when) people can EASILY use Google to find who is running what plugin and exploit your server. Most of the plugins have not been gone over very well for security and I expect there are many out there that allow remote shell and various db exploits but just have not been uncovered yet.

Now who is at fault for this?

I blame #1 – you. You should have disabled public browsing of folders.

I blame #2 – WordPress. C’mon Matt just put a blank index.php file in the folder =P

I was first alerted about this by Bill Hartzer last month and I just simply made a blank index.php file in my WordPress directory.

BUT as you can see google has a really through index of my wordpress directorys (yes i failed rule #1)

So now

Here is how you disable it in .htaccess -

Options All -Indexes

Now this is not a major security flaw of wordpress or a huge security risk im not trying to make it sound like that… I just think a little work on your part(s) could potentially avoid a security issue.

full disclosure

About the author...

– who has written 2896 posts on

Jeremy "ShoeMoney" Schoemaker is the founder & CEO of the ShoeMoney Blog, Elite Retreat Internet Conference, & the PAR Program. In 2013 Jeremy released his #1 Amazon Best selling Autobiography titled "Nothing's Changed But My Change" - The ShoeMoney Story. Jeremy currently lives in Lincoln Nebraska with his wife and 2 daughters.

Michelle recommends you check out these amazing posts:

  1. Shoemoney Featured Post How to figure out why your emails are getting delivered to spam
  2. blueglass-20101012-225302 Men (And Women) Of Honor – In An Industry That Does Not Have Much
  3. stfu Knowing When to STFU


1 nick

What’s a person (hacker) going to do if they saw the index of someone’s directory? I mean, you really can’t hack the files themselves… just curious.

2 Bill Hartzer

Nick, there’s technically not a security issue when you leave your wordpress plugins open for everyone to see. I haven’t seen any cases yet of it being a security issue. But, a lot of people are really proud of which plugins they have installed, and some have a few custom plugins that are being used. Also, there’s an issue with revealing the plugins you’re using to help stop spam comments.

Potentially, I could see someone figuring out which plugins you’re using to stop comment spam, for example, and using a script that gets around whatever you’re using to stop it.

3 Erik

I think what Shoe was saying if there is a plugin that turns out to have a security issue, you could use google to find sites that were using that plugin.

4 Jayson Williams

Thanks for bringing this up as I see what you are saying. They could come in through one of your plugins that has flaws and is new and hasnt had its bugs fixed. There are simple ways to prevent this but many people do not do them for whatever reason.

5 How To Buy Websites

Which directory exactly are you talking about? The plugins directory? or all of them?

6 Eduardo Maio

Are you running sitemaps for them to totally index your website or are you linking directly to your wp-content folder?

7 Bill Hartzer

How To Buy Websites, it’s the /wp-content/plugins folder.

Erik, it’s not just the security issue that you mention…I actually don’t want anyone to see which plugins I’m running because some of them have to do with getting more traffic to the site, including RSS-related plugins and links plugins, etc. etc.

8 TheHostHunter

I wish it was an industry standard for web hosts to make all new accounts come with forbidden public indexes. People can just see way too much when people forget or don’t even know about this “feature”.

9 Bill Hartzer

TheHostHunter, if you’re having issues like this then it sounds like you need to get another web host. There are web hosts out there that will take care of you, you just need to find one.

In this case, though, WordPress could actually put default index files in certain directories…just for this reason.

10 Scot Smith

Good tip.
Thanks for the reminder to index all of my directories.

11 Scot Smith

Turns out MediaTemple is already on top of this. I didn’t realize but they deny access to any directory without an index page. Neat :) I don’t even have to edit my .htaccess.

12 CPA Affiliates

great point but some cheap hosts have already taken care of this.

13 Kn10

This can be a security risk. Its not a “OMG PATCH UR SERVERS NOW!” risk. But it helps a potential hacker.

How to try and hack a wordpress site in 3 simple steps:

Step 1: Visit the plugins folder and view the plugins they are running.
Step 2: Google for any exploits or try and compare old versions and new versions of security patches and see what they patched up for those particular plugins.
Step 3: Attempt hack.

14 TheHostHunter

Yeah I have accounts where this was taken care of and others where it is not. Not a big deal for me as it’s something that I always check, but definitely one of those things I wish hosts would be smart enough and enable by default to make everyone’s life easier.

15 jim

Good thought, thanks Shoe.

16 nick

yea those are some very valid points. I have heard about the possible security issues, but never knew exactly what they were.

17 Ken Savage

all the more reason you should have disabled public browsing of folders in your Apache setup.

18 Ken Savage

true but it’s good to just add a blank index file in there too.

19 ritchie

It tells you excactly which plugins are in use. btw: I use this index file and redirect to my hp; it resides within every folder I want to restrict access to:

20 ritchie

It’s enough to know which files are there, it’s best to put a redirecting (to homepage) index file into every directory you wann restrict access to.

21 ritchie

Actually, it’s all of them if you configure access via index-files.

22 The Dino

I hope I have everywhere blank index pages…

23 eTown Landlord

rip off all kinds of content from mp3 to ringtones to resale ebooks. it never ceases to amaze me what you can find when searching the open indexes. It’s fun.

24 eTown Landlord

I’m not a php person but could you download the plugins from these open directories and install them on your own wordpress blog?

25 A.J.

eTown, you would not necessarily be able to download the plugins themselves. If the server is configured correctly, it should try to execute the plugin as a stand alone PHP file and would in most cases return an error. The biggest concern is that if a plugin is exploitable, Google gives those desiring to take advantage of it a list of sites that have that plugin in use. Think of it like putting yourself on a “hack me please” list.

26 website copywriter

See, I didn’t know that. This is very interesting, thanks for the additional info!

27 Travel Notebook

I dont let anybody see into any folders on my servers. There is just no reason to allow it.

28 eTown Landlord

thanks AJ for the insight.

29 JerkyBeef

thanks shoemoney… i never thought to even look into that…

30 Bill Hartzer

No, you cannot download the plugins themselves from that person’s install of WordPress. You can download or click on the file but it will try to execute the php file instead. You can get ahold of anything else like readme files and other files that might be in the folders, though.

I personally am not as concerned over the security risk as the fact that I personally want to stop people from knowing what plugins I have running. Some of them are helping me get more links and others are custom plugins. I just don’t want people knowing which plugins I’m running…you may not care.

31 Learn SEO

Thanks shoemoney, now I have my site protected against directory browsing.

32 Cheng-Hao Liang

yea i just had installed wordpress it is sweet as hell

33 Paul.

I enjoy little post of code like this.

34 Joeychgo

Very good advice — Very good.

35 Dennis Bjørn Petersen

Thank you very much for bringing this up. As you mention this isn’t the biggest security risk, but you might as well close the small and easy ones.

36 SEO Reloaded

It is always a good idea to secure your Wordpress Blog Folder, just like it should be done for images folder. Many people don’t put an ‘Access Denied’ on their images and files folders which is not a good habit.

37 Modern Worker

Yikes, I just found this post and am gonna be getting all over htaccess asap. Security is something that needs to be better improved upon, I agree. Matt’s reactions to things lately have been, well, odd.

38 Trevor McNotDonald

Thanks for the heads-up on this shoe, much appreciated

39 Emil Nasarenko

I need help. I am trying to install some plugins for my wp site. everything tells me to upload to my wp-contents/plugins folder. I have found this but how do i upload to it. I am not a computer literate as i would like to be so please consider me as a dummy.

40 Real Cash Gifting

AWESOME share, thanks!

41 usedwatchesreview

Some very interesting and insightful thoughts. I like this.

Previous post:

Next post: