Security Hole In Wordpress

July 17st, 2008

Written by Mr Javo

Hello bloggers, as you may know Wordpress 2.6 released some days ago, with some exciting features which you can see in this video.

However, if you upgraded your Wordpress, you need to know about a security hole in this awesome platform ( I think this bug is in the past versions too ). So check this out to learn how to protect your blog from hackers!

The plugins’ directory is not safe! if you search in google for the index of the path where wordpress storage the plugins, it will give you thousand of websites as result, which you can access and check their plugins! Practically, if you want, you could steal information, paid plugins or even steal a blog…

Wordpress Security Hole

As you can see, your blog is not safe. How can you fix this issue? That’s simple!

You need to create a file called index.html and upload it to the Plugins’ folder yourblog/wp-content/plugins/. So, when someone try to load that location, the browser will load the index file and that person will get nothing important.

In the .html file you can write a message linking to your blog. Also, you could redirect that page to your blog… However, it doesn’t matter, the important thing is that your folder will be safe now .

Check my html file here . You can get a similar one by copying the following code into a html file:

YOUR-MESSAGE-HERE
 
<img src=”YOUR-IMAGE-URL-HERE“/>
<META HTTP-EQUIV=”Refresh” CONTENT=”3; URL=YOUR-BLOG-HERE“>

Take care!

If you enjoyed this post, consider subscribing to my RSS feed.

Wordpress

Comment by David Hobson | 17 Jul 2008 at 1:46 pm

Good post MrJavo. Ive known about this pretty much since i started blogging.

Whenever they try and see my plugins they are greeted with the following message.

`Looking for my plugins tough not showing you`

David Hobsons last blog post..Blog Updates and News

Reply to this comment

Comment by Mr. Javo | 17 Jul 2008 at 1:52 pm

Hehe nice one David, but as I saw, there are many people who don’t know about this. I checked some blogs through Google and I could explore its folders

Comment by Geoserv | 17 Jul 2008 at 2:44 pm

This is how all directory folders work whether its Wordpress or not, if you have afolder that you don’t want prying eyes looking at, throw in a simple index.html file.

Geoservs last blog post..Show us your SezWho/Entrecard blog for 1000 Entrecard credits

Comment by Joe Tech Subscribed to comments via email

| 17 Jul 2008 at 3:10 pm

Better still, turn off the option in Apache to display folder indexes. If you don’t have control over apache, you should always put an index.htm/html/php/etc file in any folder unless you want people to be able to browse it. Frankly, I’d think that the WordPress dev team would have included an index.htm in all directories with the install.

Comment by Mr. Javo | 17 Jul 2008 at 3:17 pm

Hey Joe nice idea about the Apache! And yes, I also think that wordpress should include an index to protect your folders…

Comment by dcr | 17 Jul 2008 at 3:24 pm

Thanks for the tip!

dcrs last blog post..Why Don’t You Want Me to Comment on Your Blog?

Comment by CallieJo | 17 Jul 2008 at 3:36 pm

Like Joe Tech said, turned indexing off on Apache. If you have cPanel, you can click “Index Manager->Public_HTML-> Choose No Indexing and click save. This will add some code to your .htaccess file.

To add the code manually, just add the following in your .htaccess file in the root of your website:
Options All -Indexes

This will prevent prying eyes from seeing into any of your folders. This should be default on any of your websites unless you prefer others to view your folders and files.

Otherwise, you can add an index.html file in all your folders (as already suggested). Many other scripts already include one in all of their folders for you. Wordpress is one of only a few of the popular scripts that don’t. Most do….atleast the ones I’ve used.

CallieJos last blog post..Finally a BIGGER Wacom!

Comment by Simple Mindz | 17 Jul 2008 at 4:08 pm

Thanks for the heads up on this!

Comment by bbrian017 Subscribed to comments via email

| 17 Jul 2008 at 4:40 pm

Interesting to know but even if this issue gets fixed the next will come along and cause issues once again!

I guess this is the world of Open Source and Free Software in which we live!

bbrian017s last blog post..Wordpress 2.6 RC1 is now available for download

Comment by Mr. Javo | 17 Jul 2008 at 5:03 pm

Hey CallieJo great advice, thanks to contribute on this!

Comment by Rhys | 17 Jul 2008 at 6:16 pm

Hey good one Mr Javo!

As CallieJo says putting Options All -Indexes in the .htaccess is a simple solution. I like it because if you do this in the root directory you have protected your whole site, and all folders are protected, even if you missed an index file somewhere..

Rhyss last blog post..Now You Can Have a Top Money Making Blog

Comment by SolReka Subscribed to comments via email

| 17 Jul 2008 at 6:41 pm

You are a diamond
I created two index.html files and dumped them in wp-content and wp-content/plugins folders.

I cannot believe how vulnerable I’ve been

Are there any other major flaws we worpressers should be on the look out for.

Once again thank you soooo much for the blog-saving tip

Sol

SolRekas last blog post..Global Economy and the True Cost of Humanity

Comment by milo | 17 Jul 2008 at 6:51 pm

Just restrict access by a robots txt file and secure it by a .htaccess rule…

Comment by Blogging For Novice | 17 Jul 2008 at 8:00 pm

Yes, this is one of the ways to secure your WordPress blog. There are another few more ways, you can check out from my blog.

Comment by zoso Subscribed to comments via email

| 18 Jul 2008 at 12:54 am

or an easy way

RewriteEngine On
Options All -Indexes

Comment by indocontest | 18 Jul 2008 at 1:13 am

Good Post
Thanks

Comment by Ajay | 18 Jul 2008 at 4:15 am

good post mr javo
i am using this index file from long time back

Comment by Matt Ellsworth | 18 Jul 2008 at 9:43 am

great post- it looks like we started doing this a while ago. but thanks for keeping people informed.

Matt Ellsworths last blog post..365 Reasons Why I Love You - Tell Someone How Much They Mean To You

Comment by Andreas from Xavier Media Subscribed to comments via email

| 18 Jul 2008 at 3:25 pm

You should also block your plugin directory in robots.txt so search engines don’t spider your publins.

/Andreas

Andreas from Xavier Medias last blog post..Would you like to write for us?

Comment by CallieJo | 18 Jul 2008 at 6:42 pm

Your welcome Mr. Javo

Some people don’t have to worry if their host or their server is already setup with indexing off.

You can email your host or setup your server to turn indexing off for all websites hosted on your server.

If you manage your own server you can try to put an .htaccess file with this in the servers /home directory:
Options All -Indexes

Comment by Automated List Builder | 18 Jul 2008 at 7:44 pm

Thanks a lot for sharing this.

I didn’t know of this hole in wordpress.

I’ve now uploaded a nice squeeze page as an index.html

Daniel

Automated List Builders last blog post..Automated List Builder Is Live

Comment by O.Messaoud | 19 Jul 2008 at 7:14 am

Thanks Javo for pointing this out and thanks CallieJo for the .htaccess advice. It is working for me !

O.Messaouds last blog post..You subscribe, I follow

Comment by Louis Liem - HomeBiz Resource | 22 Jul 2008 at 10:31 pm

Not only to plugins folder, you can also pu the html file inside directories you don’t want people to see.

I posted an additional security checklist a while ago. Check’em out!

Comment by F | 7 Aug 2008 at 8:35 pm

Nice post mr.Javo. May i translete this post to my native language on my blog? With a backlink, ofcourse
Fs last blog post..mengetahui rank blog dengan rankwidget.com

Newsletter

Most Popular Articles

Subscribe