1. What’s a person (hacker) going to do if they saw the index of someone’s directory? I mean, you really can’t hack the files themselves… just curious.

2. Nick, there’s technically not a security issue when you leave your wordpress plugins open for everyone to see. I haven’t seen any cases yet of it being a security issue. But, a lot of people are really proud of which plugins they have installed, and some have a few custom plugins that are being used. Also, there’s an issue with revealing the plugins you’re using to help stop spam comments.

   Potentially, I could see someone figuring out which plugins you’re using to stop comment spam, for example, and using a script that gets around whatever you’re using to stop it.

3. I think what Shoe was saying if there is a plugin that turns out to have a security issue, you could use google to find sites that were using that plugin.

4. Thanks for bringing this up as I see what you are saying. They could come in through one of your plugins that has flaws and is new and hasnt had its bugs fixed. There are simple ways to prevent this but many people do not do them for whatever reason.

5. Which directory exactly are you talking about? The plugins directory? or all of them?

6. Are you running sitemaps for them to totally index your website or are you linking directly to your wp-content folder?

7. […] at Shoemoney we read about an exploit in the plugins directory for WordPress. Why is this dangerous? Well when […]

8. How To Buy Websites, it’s the /wp-content/plugins folder.

   Erik, it’s not just the security issue that you mention…I actually don’t want anyone to see which plugins I’m running because some of them have to do with getting more traffic to the site, including RSS-related plugins and links plugins, etc. etc.

9. I wish it was an industry standard for web hosts to make all new accounts come with forbidden public indexes. People can just see way too much when people forget or don’t even know about this “feature”.

10. TheHostHunter, if you’re having issues like this then it sounds like you need to get another web host. There are web hosts out there that will take care of you, you just need to find one.

    In this case, though, WordPress could actually put default index files in certain directories…just for this reason.

11. Good tip.
    Thanks for the reminder to index all of my directories.

12. Turns out MediaTemple is already on top of this. I didn’t realize but they deny access to any directory without an index page. Neat 🙂 I don’t even have to edit my .htaccess.

13. great point but some cheap hosts have already taken care of this.

14. […] found an important entry at ShoeMoney blog about ‘ Watch Your WordPress Plugins Directory‘. Do you know that your WordPress plugins directory is open to public […]

15. This can be a security risk. Its not a “OMG PATCH UR SERVERS NOW!” risk. But it helps a potential hacker.

    How to try and hack a wordpress site in 3 simple steps:

    Step 1: Visit the plugins folder and view the plugins they are running.
    Step 2: Google for any exploits or try and compare old versions and new versions of security patches and see what they patched up for those particular plugins.
    Step 3: Attempt hack.

16. Yeah I have accounts where this was taken care of and others where it is not. Not a big deal for me as it’s something that I always check, but definitely one of those things I wish hosts would be smart enough and enable by default to make everyone’s life easier.

17. Good thought, thanks Shoe.

18. yea those are some very valid points. I have heard about the possible security issues, but never knew exactly what they were.

19. all the more reason you should have disabled public browsing of folders in your Apache setup.

20. true but it’s good to just add a blank index file in there too.

21. It tells you excactly which plugins are in use. btw: I use this index file and redirect to my hp; it resides within every folder I want to restrict access to:
    http://blog.datenschmutz.net/wp-admin/

22. It’s enough to know which files are there, it’s best to put a redirecting (to homepage) index file into every directory you wann restrict access to.

23. Actually, it’s all of them if you configure access via index-files.

24. […] Shoemoney has posted today about a potential security bug in WordPress. […]

25. I hope I have everywhere blank index pages…

26. rip off all kinds of content from mp3 to ringtones to resale ebooks. it never ceases to amaze me what you can find when searching the open indexes. It’s fun.

27. I’m not a php person but could you download the plugins from these open directories and install them on your own wordpress blog?

28. eTown, you would not necessarily be able to download the plugins themselves. If the server is configured correctly, it should try to execute the plugin as a stand alone PHP file and would in most cases return an error. The biggest concern is that if a plugin is exploitable, Google gives those desiring to take advantage of it a list of sites that have that plugin in use. Think of it like putting yourself on a “hack me please” list.

29. See, I didn’t know that. This is very interesting, thanks for the additional info!

30. I dont let anybody see into any folders on my servers. There is just no reason to allow it.

31. […] read a nice tip at ShoeMoney’s blog to improve the security of your WordPress […]

32. thanks AJ for the insight.

33. thanks shoemoney… i never thought to even look into that…

34. […] first came across this information while visiting Shoemoney, and just so happened, like that, i learned something new. It is said that Google indexes WordPress […]

35. […] over at ShoeMoneyâ„¢ posted on “eye opener” for me regarding public browsing of the WordPress plugins directory.  As you can see via Google, […]

36. No, you cannot download the plugins themselves from that person’s install of WordPress. You can download or click on the file but it will try to execute the php file instead. You can get ahold of anything else like readme files and other files that might be in the folders, though.

    I personally am not as concerned over the security risk as the fact that I personally want to stop people from knowing what plugins I have running. Some of them are helping me get more links and others are custom plugins. I just don’t want people knowing which plugins I’m running…you may not care.

37. Thanks shoemoney, now I have my site protected against directory browsing.

38. yea i just had installed wordpress it is sweet as hell

39. I enjoy little post of code like this.

40. […] Watch Your WordPress Plugins Directory […]

41. Very good advice — Very good.

42. […] Shoemoney has posted about a potential security bug in WordPress. Its an eye opener for me regarding public browsing of the WordPress plugins directory. If you have a standard WordPress install try to go to http://YOURDOMAINNAME.com/wp-content/plugins you will see a directory list of the files and not your actual web page. This can be a potential exploits if theres a security bug on your plugins installed. You can disable it in .htaccess File by adding this line of code […]

43. Thank you very much for bringing this up. As you mention this isn’t the biggest security risk, but you might as well close the small and easy ones.

44. […] If you’re using WordPress for your blog, there is one security issue mentioned in WeblogToolsCollection & ShoeMoney. […]

45. It is always a good idea to secure your WordPress Blog Folder, just like it should be done for images folder. Many people don’t put an ‘Access Denied’ on their images and files folders which is not a good habit.

46. Yikes, I just found this post and am gonna be getting all over htaccess asap. Security is something that needs to be better improved upon, I agree. Matt’s reactions to things lately have been, well, odd.

47. Thanks for the heads-up on this shoe, much appreciated

48. […] If you are running WordPress go to http://www.yourdomain.com/wp-content/plugins. If you see a directory listing of all your installed plugins you may want to follow the steps described by Shoemoney here. […]

49. […] If you are running WordPress go to http://www.yourdomain.com/wp-content/plugins. If you see a directory listing of all your installed plugins you may want to follow the steps described by Shoemoney here. […]

50. […] Hat tip to Reuben Yau and Shoe. […]

51. […] Hat tip to Reuben Yau and Shoe. […]

52. […] Hat tip to Reuben Yau and Shoe. […]

53. […] Hat tip to Reuben Yau and Shoe. […]

54. […] Hat tip to Reuben Yau and Shoe. […]

55. […] BoÅŸ bir wp-content/plugins/index.html dosyası hazırlayın […]

56. […] BoÅŸ bir wp-content/plugins/index.html dosyası hazırlayın […]

57. […] BoÅŸ bir wp-content/plugins/index.html dosyası hazırlayın […]

58. I need help. I am trying to install some plugins for my wp site. everything tells me to upload to my wp-contents/plugins folder. I have found this but how do i upload to it. I am not a computer literate as i would like to be so please consider me as a dummy.
    Emil

59. […] 有一些另外的附加提示更新： Reuben Yau and Shoe. […]

60. AWESOME share, thanks!

61. […] Adding the lines above on your .htaccess file will disable directory browsing in all of your directories and sub-directories. They will see a 404 page instead. Got that line of code from the man with a big Adsense check. […]

62. […] BoÅŸ bir wp-content/plugins/index.html dosyası hazırlayın […]

63. Some very interesting and insightful thoughts. I like this.

64. […] BoÅŸ bir wp-content/plugins/index.html dosyası hazırlayın […]

65. […] Hat tip to Reuben Yau and Shoe. […]

66. […] 有一些另外的附加提示更新： Reuben Yau and Shoe. […]

67. […] deleted it they {folks at WordPress} probably added this after Jeremy Schoemaker‘s post Watch Your WordPress Plugins Directory ealrier versions of wordpress didn’t have this empty index.php or index.html file, they added […]

Comments are closed.