Do Yourself A Favor-Stop Advertising Your Plugins To The Whole World

By Vlad Zablotskyy October 17, 2007 Bookmark and Share

Commenting on my most recent post about security issues I’ve had with one of my WordPress websites, Dane has mentioned that keeping up to date all your plugins can help you to reduce the risk of having your website compromised:

That is why it’s so important that you stay on top of upgrades. And not just to WP itself, but to plugins you are using. plugins can be compromised and if not updated, they leave security holes into your blog.

So I went ahead and did major clean up in respect to plugins I was using on this blog. But I also did something more. By default, with WordPress “out of the box”, you are advertising to the entire world what plugins you are using on your website- just put into your browser following path and you will see what I am talking about: yourblog/wp-content/plugins/. This can be very easily prevented by placing an empty “index.php” or “index.html” file into “plugins” directory on your server. Or if you want to have a little more fun you can be creative with that file- here is mine.

Now this of course may not make your WordPress super secure but it for sure will make things a little more difficult for some one to get into your blog by hacking one of the plugis if you stop advertising your plugins to the whole world.

Tags: ,

categories Other (Fom Old Blog)

  • Hi Vlad,
    This is actually a very important precaution for many reasons and bears repeating. So, I stumbled you!

    I take care of the issue site wise, and discussed how toHide plugins using .htaccess a while back.

    It useful for security, keeping prying eyes out & etc.
  • Hmmm... seeing your index.php page, I think we clearly need to redirect people to the main page! :)
  • well maybe I am the only one who thinks that all the fun is here ;)

    I am glad you liked it. However I think .htaccess solution is way much better. Believe it or not I do have several web-hosting providers that wan't let you touch .htaccess . Thanks for pointing me to your post!
  • Well... the fact is, everyone can't catch what's on everyone's blog. Besides, we don't all have the same audience.

    Some things do bear repeating, and protecting your plugins from view is one of them and it's not exactly a topic that is rehashed. I thought of it when I stumbled across a site giving people advice on how to find porn in peoples image directories! So, you can see how some people do need to be aware of the need to "hide" their directory listings.
  • Lucia,

    I think I have sent you the url for my home page to stumble instead of this post. :(
  • James Lawyers
    Hi Vlad,

    Great blog btw. sorry if this has been mentioned before, but what would you say are the most essential plugins for a blog?

    Cheers.
  • James,

    You really made me laugh. You do not mind if I moderate a little your comment. :)
  • That was hilarious. I'm looking to start my 1st WP blog and have been trying to absorb all the information I can. It's pretty amazing though that people actually "hack" your blog. There's got to be a better use of ones time I would think.
  • Barry,

    There are many things that can make hacking much harder but there always be a jerk without something better to do out there.

    Welcome to his blog as well! :)
  • Good tip on placing an index file in the Wordpress plugin folder. If you have cPanel, there is an Index Manager tool that will help you protect any folders without index files from wandering & curious eyes.

    In fact, if your server is not already setup by default to not show any files under a folder with no index file, you should look into setting that up. It's not fool proof but it is better than openly broadcasting your files to the world.
  • Ian,

    I think Lucia's solution with .htaccess file does the same what you can do with Index Manager.

    Thanks for stopping by!
  • Yes, I think the .htaccess file option will perform the same function as Index Manager. Except IM requires no hand coding. When working with many folders, point and click while seeing the entire directory tree is invaluable.

    Now having said that, I still think setting up your server to not show files within a folder without an Index files is still a good idea :)

    As an aside, I forgot to answer the math question and lost my answer. Do check out this math spam protection plugin that resolves the BACK button issue.
  • Sorry Ian,

    My math plugin does some strange things, I will look into it.

    I think it is good to have all options opened. I have some web hosting plans that neither offer cPanel nor do they let you touch .htaccess file- thus placing index files is the only thing that is left.
  • Hey Vlad, no need to apologize. Plugins don't always work the way we want them to. Actually, as more feedback, I was asked to enter another number after I answered the math question on my last post. Maybe another plugin is verifying that I am not a script since I posted more than 1 time today :)?

    But you are right. Sometimes, running a simple index file is the only way around the situation.
  • It may be Spam Karma, but I am surprised it does it. I will just probably get rid of math plugin- this one time too many that it has caused problems.
  • Yes, my SK2 also did that. If it's SK2's blacklist protection, then under Manage >> Spam Karma 2 >> General Settings, there is something called the snowball effect. I find the default settings to be a bit low. I suggest increasing the X's:

    - On an average you check new comments every X days.
    - Trigger when somebody posts more than X comments over the above time-period.

    Good luck.
  • Lea
    I think Lucia is suggesting a good solution :)
    But tell me - did you type 'webstie' by accident or on purpose?
    I think you've just created a new way to describe one's website :)
  • Lea,

    lol no that was not done on purpose, just one of those dyslexic moments :)
  • Lea
    Darn, and I thought you were being clever :)
  • I'm not sure how much value this will specifically bring to your security. Most attackers aren't going to bother checking to see if you have a compromised plugin installed. They simply amass domain listings of WP installs and use robots to launch the attack against each blog on the list.

    That said, I can think of other good reasons to do this anyways, and not only in the plugins folder, but every folder that does not have an explicit index.php file already in it (root & admin).

    Also as I like to say, site security is a lot like car alarms. Nothing you do that leaves your site usable can tottaly prevent someone who really wants in from getting in. But there are lots of little things you can do to make it easier to just hit someone else.

    @ lucia. Back when I did porn I actually created fake Apach directory list pages. All of the listed images were of course links to rev share programs. ;)
  • I'm embarrassed to discover that I had no protection! I have in the past had problems with hackers, and I thought I had my blogs locked down enough. It's clear that I don't!

    I tried the Index Manager solution that one of the commenters mentioned, and it's easy and it works. I don't like any of my directories to be open and viewable.

    Thanks for publishing this!
blog comments powered by Disqus

WordPress Themes | LeapFish