The standard WordPress installation has a problem I consider a big security threat: by default, anyone can have a list of all the plugins (and see their version) installed in the system.
I fixed this problem on my blog a few months ago when I discovered it, but 2 days ago I saw a page talking about this and I tried this Google query.. it’s incredible to see how many blogs on the Web suffer this issue.
The solution to this problem is rather simple: all you have to do to stop showing the world how to hack your site is putting an empty file called index.html in the wp-content/plugins directory.
Looking at the SERPs, It’s not a surprise to see blogs such as FreeRangeLibrarian or Speed of Creativity, because they’re not technical blog.. but it’s a BIG SURPRISE to see the Blog Herald listed in the first positions..
For those who don’t know it, Blog Herald is a big network blog that publishes posts from many important bloggers, such as Chris Garrett and Lorelle Van Fossen.
I thought about this a lot, and I concluded that listing the version of the plugins installed on your system is a good idea and it improves security, don’t you think? Otherwise, why a blog such as that, that talks about blogging, security and so on all day.. would make life easier for hackers?
(Irony, of course)
May 16th, 2008 at 1:42 pm
You can even block the Directory Listing of your domain. So whereever there is no index.html, index.php or similar default page, users going to the page will be shown a ‘Directory Listing Denied’ page.
May 16th, 2008 at 1:47 pm
Hi Riyaz, thanks for your comment.
You’re right, there are many nice things one could do to keep the WP install secure, and they don’t take much time.. obviously, many people out there don’t even know about this feature. My big surprise, as stated in the post, was the Blog Herald listed in the SERPs.
May 16th, 2008 at 2:03 pm
I don’t use Wordpress but this looks like they are making life easier for hackers…is this fixed in Wordpress 2.0?
May 16th, 2008 at 2:16 pm
I should have said it in the post, but ..it’s not yet fixed!
I checked the latest version to see if it contained an empty index.html file in the plugins directory, but it doesn’t.
I’m sorry to say this, but one has to research and put quite a lot of effort in making WP a really secure install.
May 16th, 2008 at 10:03 pm
That is an excellent piece of security information. WP should have fixed that issue with the initial release.
May 17th, 2008 at 6:38 am
This has absolutely nothing to do with WordPress,
but rather the servers configuration. Blame your host.
Poorly configured servers leave the indexes wide open.
On any apache system put this into your .htaccess file:
Options -Indexes
and then every single directory, wordpress or not will be closed to public view.
May 17th, 2008 at 11:17 am
@_ck_: you can fix this issue in many ways, but putting a simple file that would fix many installs is so simple I can’t see why they don’t do it.
May 17th, 2008 at 11:42 am
This isn’t that big a deal,it just shows the php files - not necessarily the versions unless the scriptkiddies look up the date and match it with the closest version available at that date.
May 18th, 2008 at 1:31 pm
Deny the indexing via the robots txt file and secure it via ht access.
May 19th, 2008 at 10:27 am
@milo: Hi milo, thanks for stopping by. Yes, this is the solution to the problem, but I just wanted to show how many people don’t implement any kind of protection to solve this problem!
@TVSpy Voyeur: you can even take a look at the code of the files! Too bad
May 19th, 2008 at 10:43 am
What’s really scary: a lot of “designer” sites are open this way, makes you wonder if their client sites share the same problem….
May 19th, 2008 at 10:51 am
@milo: You’re right.. in the list you can even find a website such as http://development.mit.edu/ !
May 25th, 2008 at 7:55 pm
One thing people seem to be forgetting is that even though Apache has a dominant market share, it is not the only web browser out there. So just throwing a line out like ‘yeah all you have to do is change your htaccess file’ doesn’t always work. Also, instead of adding it to your htaccess file, it should be in your .conf file. That way you can always override it in your htaccess file but have it enabled by default.
Wordpress should do like Joomla and just do the simple fix that works for most people, include an index.html file in every folder. Very easy fix that goes a long way towards secure environments.
May 26th, 2008 at 9:17 pm
@eTiger13: I share your opinion, this is something that should be done..
June 3rd, 2008 at 3:26 am
WOW! I just did the search, & got “Results 1 - 100 of about 768,000 for Index of /wp-content/plugins”. That’s a lot of naked plugin directories.
June 9th, 2008 at 12:57 am
Yes, it is amazing how your site can become vulnerable just by offering info you don’t need to. Like plugins or wordpress version.
Another simple option is add to the htaccess file.
Just add “Options –Indexes”. This will disable directory browsing and do the same as index.html.
Regards.
Sherif
June 9th, 2008 at 9:35 am
@Sherif: thanks for your input, that’s handy
June 11th, 2008 at 10:55 pm
Wow, never knew that! Thanks for that info.
Joey - http://www.LeetWebmasters.com