This is a expansion on marks article today on weblog tools collection:

Check this link See all the peoples wordpress directory’s that are open for public browsing? eek!

Why is this dangerous? Well when a exploit is found (its never if its always when) people can EASILY use Google to find who is running what plugin and exploit your server. Most of the plugins have not been gone over very well for security and I expect there are many out there that allow remote shell and various db exploits but just have not been uncovered yet.

Now who is at fault for this?

I blame #1 – you. You should have disabled public browsing of folders.

I blame #2 – WordPress. C’mon Matt just put a blank index.php file in the folder =P

I was first alerted about this by Bill Hartzer last month and I just simply made a blank index.php file in my WordPress directory.

BUT as you can see google has a really through index of my wordpress directorys (yes i failed rule #1)

So now

Here is how you disable it in .htaccess –

Options All -Indexes

Now this is not a major security flaw of wordpress or a huge security risk im not trying to make it sound like that… I just think a little work on your part(s) could potentially avoid a security issue.

By Jeremy Schoemaker

Jeremy "ShoeMoney" Schoemaker is the founder & CEO of ShoeMoney Media Group, and to date has sold 6 companies and done over 10 million in affiliate revenue. In 2013 Jeremy released his #1 International Best selling Autobiography titled "Nothing's Changed But My Change" - The ShoeMoney Story. You can read more about Jeremy on his wikipedia page here.

67 thoughts on “Watch Your WordPress Plugins Directory”
  1. What’s a person (hacker) going to do if they saw the index of someone’s directory? I mean, you really can’t hack the files themselves… just curious.

  2. Nick, there’s technically not a security issue when you leave your wordpress plugins open for everyone to see. I haven’t seen any cases yet of it being a security issue. But, a lot of people are really proud of which plugins they have installed, and some have a few custom plugins that are being used. Also, there’s an issue with revealing the plugins you’re using to help stop spam comments.

    Potentially, I could see someone figuring out which plugins you’re using to stop comment spam, for example, and using a script that gets around whatever you’re using to stop it.

  3. I think what Shoe was saying if there is a plugin that turns out to have a security issue, you could use google to find sites that were using that plugin.

  4. Thanks for bringing this up as I see what you are saying. They could come in through one of your plugins that has flaws and is new and hasnt had its bugs fixed. There are simple ways to prevent this but many people do not do them for whatever reason.

  5. Which directory exactly are you talking about? The plugins directory? or all of them?

  6. Are you running sitemaps for them to totally index your website or are you linking directly to your wp-content folder?

  7. […] at Shoemoney we read about an exploit in the plugins directory for WordPress. Why is this dangerous? Well when […]

  8. How To Buy Websites, it’s the /wp-content/plugins folder.

    Erik, it’s not just the security issue that you mention…I actually don’t want anyone to see which plugins I’m running because some of them have to do with getting more traffic to the site, including RSS-related plugins and links plugins, etc. etc.

  9. I wish it was an industry standard for web hosts to make all new accounts come with forbidden public indexes. People can just see way too much when people forget or don’t even know about this “feature”.

  10. TheHostHunter, if you’re having issues like this then it sounds like you need to get another web host. There are web hosts out there that will take care of you, you just need to find one.

    In this case, though, WordPress could actually put default index files in certain directories…just for this reason.

  11. Turns out MediaTemple is already on top of this. I didn’t realize but they deny access to any directory without an index page. Neat 🙂 I don’t even have to edit my .htaccess.

  12. […] found an important entry at ShoeMoney blog about ‘ Watch Your WordPress Plugins Directory‘. Do you know that your WordPress plugins directory is open to public […]

  13. This can be a security risk. Its not a “OMG PATCH UR SERVERS NOW!” risk. But it helps a potential hacker.

    How to try and hack a wordpress site in 3 simple steps:

    Step 1: Visit the plugins folder and view the plugins they are running.
    Step 2: Google for any exploits or try and compare old versions and new versions of security patches and see what they patched up for those particular plugins.
    Step 3: Attempt hack.

  14. Yeah I have accounts where this was taken care of and others where it is not. Not a big deal for me as it’s something that I always check, but definitely one of those things I wish hosts would be smart enough and enable by default to make everyone’s life easier.

  15. yea those are some very valid points. I have heard about the possible security issues, but never knew exactly what they were.

  16. all the more reason you should have disabled public browsing of folders in your Apache setup.

  17. It’s enough to know which files are there, it’s best to put a redirecting (to homepage) index file into every directory you wann restrict access to.

  18. […] Shoemoney has posted today about a potential security bug in WordPress. […]

  19. rip off all kinds of content from mp3 to ringtones to resale ebooks. it never ceases to amaze me what you can find when searching the open indexes. It’s fun.

  20. I’m not a php person but could you download the plugins from these open directories and install them on your own wordpress blog?

  21. eTown, you would not necessarily be able to download the plugins themselves. If the server is configured correctly, it should try to execute the plugin as a stand alone PHP file and would in most cases return an error. The biggest concern is that if a plugin is exploitable, Google gives those desiring to take advantage of it a list of sites that have that plugin in use. Think of it like putting yourself on a “hack me please” list.

  22. See, I didn’t know that. This is very interesting, thanks for the additional info!

  23. I dont let anybody see into any folders on my servers. There is just no reason to allow it.

  24. Wordpress forgets to add blank index files in some folders. Add them to make your site more secure. says:

    […] read a nice tip at ShoeMoney’s blog to improve the security of your WordPress […]

  25. […] first came across this information while visiting Shoemoney, and just so happened, like that, i learned something new. It is said that Google indexes WordPress […]

  26. […] over at ShoeMoneyâ„¢ posted on “eye opener” for me regarding public browsing of the WordPress plugins directory.  As you can see via Google, […]

  27. No, you cannot download the plugins themselves from that person’s install of WordPress. You can download or click on the file but it will try to execute the php file instead. You can get ahold of anything else like readme files and other files that might be in the folders, though.

    I personally am not as concerned over the security risk as the fact that I personally want to stop people from knowing what plugins I have running. Some of them are helping me get more links and others are custom plugins. I just don’t want people knowing which plugins I’m running…you may not care.

  28. Thanks shoemoney, now I have my site protected against directory browsing.

  29. […] Watch Your WordPress Plugins Directory […]

  30. Protect your wordpress Plugins directory | Paradise Philippines - My Online Web Journey says:

    […] Shoemoney has posted about a potential security bug in WordPress. Its an eye opener for me regarding public browsing of the WordPress plugins directory. If you have a standard WordPress install try to go to you will see a directory list of the files and not your actual web page. This can be a potential exploits if theres a security bug on your plugins installed. You can disable it in .htaccess File by adding this line of code […]

  31. Thank you very much for bringing this up. As you mention this isn’t the biggest security risk, but you might as well close the small and easy ones.

  32. […] If you’re using WordPress for your blog, there is one security issue mentioned in WeblogToolsCollection & ShoeMoney. […]

  33. It is always a good idea to secure your WordPress Blog Folder, just like it should be done for images folder. Many people don’t put an ‘Access Denied’ on their images and files folders which is not a good habit.

  34. Yikes, I just found this post and am gonna be getting all over htaccess asap. Security is something that needs to be better improved upon, I agree. Matt’s reactions to things lately have been, well, odd.

  35. […] Hat tip to Reuben Yau and Shoe. […]

  36. […] Hat tip to Reuben Yau and Shoe. […]

  37. […] Hat tip to Reuben Yau and Shoe. […]

  38. […] BoÅŸ bir wp-content/plugins/index.html dosyası hazırlayın […]

  39. […] BoÅŸ bir wp-content/plugins/index.html dosyası hazırlayın […]

  40. […] BoÅŸ bir wp-content/plugins/index.html dosyası hazırlayın […]

  41. I need help. I am trying to install some plugins for my wp site. everything tells me to upload to my wp-contents/plugins folder. I have found this but how do i upload to it. I am not a computer literate as i would like to be so please consider me as a dummy.

  42. 保护WordPress安装的三个小贴士 - Riks blog says:

    […] 有一些另外的附加提示更新: Reuben Yau and Shoe. […]

  43. How To Disable Directory Browsing On Your Wordpress Blog Easily | Make Money Online Philippines | says:

    […] Adding the lines above on your .htaccess file will disable directory browsing in all of your directories and sub-directories. They will see a 404 page instead. Got that line of code from the man with a big Adsense check. […]

  44. » Güvenli wordpress için Bunudamı duymadın? Araç Bilgisayar Bilim Donanım Fragmanlar Genel Komedi Magazin Müzik Mobil Oyunlar Son Dakika Spor Teknoloji Uzay Video Yazılım Ä°nternet Yeni teknolojiler Yeni telefonlar yeni haberl says:

    […] BoÅŸ bir wp-content/plugins/index.html dosyası hazırlayın […]

  45. Güvenli Wordpress İçin | Wordpress Dünyası | 2009 | @ Bir proje ödevi | HoÅŸgeldiniz… says:

    […] BoÅŸ bir wp-content/plugins/index.html dosyası hazırlayın […]

  46. […] Hat tip to Reuben Yau and Shoe. […]

  47. 保护WordPress安装的三个小贴士 - 章佳元博客-关注网络应用、电子商务、网站运营、网络编程的原创IT博客 says:

    […] 有一些另外的附加提示更新: Reuben Yau and Shoe. […]

  48. […] deleted it they {folks at WordPress} probably added this after Jeremy Schoemaker‘s post Watch Your WordPress Plugins Directory ealrier versions of wordpress didn’t have this empty index.php or index.html file, they added […]

Comments are closed.