This is a expansion on marks article today on weblog tools collection:
Check this link See all the peoples wordpress directory’s that are open for public browsing? eek!
Why is this dangerous? Well when a exploit is found (its never if its always when) people can EASILY use Google to find who is running what plugin and exploit your server. Most of the plugins have not been gone over very well for security and I expect there are many out there that allow remote shell and various db exploits but just have not been uncovered yet.
Now who is at fault for this?
I blame #1 – you. You should have disabled public browsing of folders.
I blame #2 – Wordpress. C’mon Matt just put a blank index.php file in the folder =P
I was first alerted about this by Bill Hartzer last month and I just simply made a blank index.php file in my Wordpress directory.
BUT as you can see google has a really through index of my wordpress directorys (yes i failed rule #1)
So now
Here is how you disable it in .htaccess -
Options All -Indexes
Now this is not a major security flaw of wordpress or a huge security risk im not trying to make it sound like that… I just think a little work on your part(s) could potentially avoid a security issue.
Ricky Peterson (24) 
ZK @ Web Marketing Blog (23) 
R Kumar (12) 
Holly Mann (11) 
gurtey (9) 
Shanker Bakshi (9) 
Jacques Snyman | 3 Quotes (8) 
Yisraeli Foods (8) 
Find Affiliate Offers (5) 
Michael Zhao (77) 
almir (76) 
fas (75) 
R Kumar (74) 
Rick Kats (70) 
Jay @ work from home (62) 
Dino (61) 
Dick (628) 
Goran Website (495) 
Melvin (330) 
Ben Pei (329) 
Taris Janitens (274) 
meethere (269) 
Tushar Dhoot (265) 
Tushar (260) 
Moneybites (259) 
Some very interesting and insightful thoughts. I like this.
AWESOME share, thanks!
I need help. I am trying to install some plugins for my wp site. everything tells me to upload to my wp-contents/plugins folder. I have found this but how do i upload to it. I am not a computer literate as i would like to be so please consider me as a dummy.
Emil
Thanks for the heads-up on this shoe, much appreciated
Yikes, I just found this post and am gonna be getting all over htaccess asap. Security is something that needs to be better improved upon, I agree. Matt’s reactions to things lately have been, well, odd.
It is always a good idea to secure your Wordpress Blog Folder, just like it should be done for images folder. Many people don’t put an ‘Access Denied’ on their images and files folders which is not a good habit.
Thank you very much for bringing this up. As you mention this isn’t the biggest security risk, but you might as well close the small and easy ones.
Very good advice — Very good.
I enjoy little post of code like this.
yea i just had installed wordpress it is sweet as hell
Thanks shoemoney, now I have my site protected against directory browsing.
No, you cannot download the plugins themselves from that person’s install of WordPress. You can download or click on the file but it will try to execute the php file instead. You can get ahold of anything else like readme files and other files that might be in the folders, though.
I personally am not as concerned over the security risk as the fact that I personally want to stop people from knowing what plugins I have running. Some of them are helping me get more links and others are custom plugins. I just don’t want people knowing which plugins I’m running…you may not care.
thanks shoemoney… i never thought to even look into that…
thanks AJ for the insight.
I dont let anybody see into any folders on my servers. There is just no reason to allow it.
See, I didn’t know that. This is very interesting, thanks for the additional info!
eTown, you would not necessarily be able to download the plugins themselves. If the server is configured correctly, it should try to execute the plugin as a stand alone PHP file and would in most cases return an error. The biggest concern is that if a plugin is exploitable, Google gives those desiring to take advantage of it a list of sites that have that plugin in use. Think of it like putting yourself on a “hack me please” list.
I’m not a php person but could you download the plugins from these open directories and install them on your own wordpress blog?
rip off all kinds of content from mp3 to ringtones to resale ebooks. it never ceases to amaze me what you can find when searching the open indexes. It’s fun.
I hope I have everywhere blank index pages…
Actually, it’s all of them if you configure access via index-files.
It’s enough to know which files are there, it’s best to put a redirecting (to homepage) index file into every directory you wann restrict access to.
It tells you excactly which plugins are in use. btw: I use this index file and redirect to my hp; it resides within every folder I want to restrict access to:
http://blog.datenschmutz.net/wp-admin/
true but it’s good to just add a blank index file in there too.
all the more reason you should have disabled public browsing of folders in your Apache setup.
yea those are some very valid points. I have heard about the possible security issues, but never knew exactly what they were.
Good thought, thanks Shoe.
Yeah I have accounts where this was taken care of and others where it is not. Not a big deal for me as it’s something that I always check, but definitely one of those things I wish hosts would be smart enough and enable by default to make everyone’s life easier.
This can be a security risk. Its not a “OMG PATCH UR SERVERS NOW!” risk. But it helps a potential hacker.
How to try and hack a wordpress site in 3 simple steps:
Step 1: Visit the plugins folder and view the plugins they are running.
Step 2: Google for any exploits or try and compare old versions and new versions of security patches and see what they patched up for those particular plugins.
Step 3: Attempt hack.
great point but some cheap hosts have already taken care of this.
Turns out MediaTemple is already on top of this. I didn’t realize but they deny access to any directory without an index page. Neat
I don’t even have to edit my .htaccess.
Good tip.
Thanks for the reminder to index all of my directories.
TheHostHunter, if you’re having issues like this then it sounds like you need to get another web host. There are web hosts out there that will take care of you, you just need to find one.
In this case, though, WordPress could actually put default index files in certain directories…just for this reason.
I wish it was an industry standard for web hosts to make all new accounts come with forbidden public indexes. People can just see way too much when people forget or don’t even know about this “feature”.
How To Buy Websites, it’s the /wp-content/plugins folder.
Erik, it’s not just the security issue that you mention…I actually don’t want anyone to see which plugins I’m running because some of them have to do with getting more traffic to the site, including RSS-related plugins and links plugins, etc. etc.
Are you running sitemaps for them to totally index your website or are you linking directly to your wp-content folder?
Which directory exactly are you talking about? The plugins directory? or all of them?
Thanks for bringing this up as I see what you are saying. They could come in through one of your plugins that has flaws and is new and hasnt had its bugs fixed. There are simple ways to prevent this but many people do not do them for whatever reason.
I think what Shoe was saying if there is a plugin that turns out to have a security issue, you could use google to find sites that were using that plugin.
Nick, there’s technically not a security issue when you leave your wordpress plugins open for everyone to see. I haven’t seen any cases yet of it being a security issue. But, a lot of people are really proud of which plugins they have installed, and some have a few custom plugins that are being used. Also, there’s an issue with revealing the plugins you’re using to help stop spam comments.
Potentially, I could see someone figuring out which plugins you’re using to stop comment spam, for example, and using a script that gets around whatever you’re using to stop it.
What’s a person (hacker) going to do if they saw the index of someone’s directory? I mean, you really can’t hack the files themselves… just curious.