Commenting on my most recent post about security issues I’ve had with one of my WordPress websites, Dane has mentioned that keeping up to date all your plugins can help you to reduce the risk of having your website compromised:
That is why itβs so important that you stay on top of upgrades. And not just to WP itself, but to plugins you are using. plugins can be compromised and if not updated, they leave security holes into your blog.
So I went ahead and did major clean up in respect to plugins I was using on this blog. But I also did something more. By default, with WordPress “out of the box”, you are advertising to the entire world what plugins you are using on your website- just put into your browser following path and you will see what I am talking about: yourblog/wp-content/plugins/. This can be very easily prevented by placing an empty “index.php” or “index.html” file into “plugins” directory on your server. Or if you want to have a little more fun you can be creative with that file- here is mine.
Now this of course may not make your WordPress super secure but it for sure will make things a little more difficult for some one to get into your blog by hacking one of the plugis if you stop advertising your plugins to the whole world.
Good tip on placing an index file in the WordPress plugin folder. If you have cPanel, there is an Index Manager tool that will help you protect any folders without index files from wandering & curious eyes.
In fact, if your server is not already setup by default to not show any files under a folder with no index file, you should look into setting that up. It’s not fool proof but it is better than openly broadcasting your files to the world.
Yes, I think the .htaccess file option will perform the same function as Index Manager. Except IM requires no hand coding. When working with many folders, point and click while seeing the entire directory tree is invaluable.
Now having said that, I still think setting up your server to not show files within a folder without an Index files is still a good idea π
As an aside, I forgot to answer the math question and lost my answer. Do check out this math spam protection plugin that resolves the BACK button issue.
Ian,
I think Lucia’s solution with .htaccess file does the same what you can do with Index Manager.
Thanks for stopping by!
Sorry Ian,
My math plugin does some strange things, I will look into it.
I think it is good to have all options opened. I have some web hosting plans that neither offer cPanel nor do they let you touch .htaccess file- thus placing index files is the only thing that is left.
Yes, I think the .htaccess file option will perform the same function as Index Manager. Except IM requires no hand coding. When working with many folders, point and click while seeing the entire directory tree is invaluable.
Now having said that, I still think setting up your server to not show files within a folder without an Index files is still a good idea π
As an aside, I forgot to answer the math question and lost my answer. Do check out this math spam protection plugin that resolves the BACK button issue.
Sorry Ian,
My math plugin does some strange things, I will look into it.
I think it is good to have all options opened. I have some web hosting plans that neither offer cPanel nor do they let you touch .htaccess file- thus placing index files is the only thing that is left.
Hey Vlad, no need to apologize. Plugins don't always work the way we want them to. Actually, as more feedback, I was asked to enter another number after I answered the math question on my last post. Maybe another plugin is verifying that I am not a script since I posted more than 1 time today :)?
But you are right. Sometimes, running a simple index file is the only way around the situation.
It may be Spam Karma, but I am surprised it does it. I will just probably get rid of math plugin- this one time too many that it has caused problems.
Yes, my SK2 also did that. If it's SK2's blacklist protection, then under Manage >> Spam Karma 2 >> General Settings, there is something called the snowball effect. I find the default settings to be a bit low. I suggest increasing the X's:
– On an average you check new comments every X days.
– Trigger when somebody posts more than X comments over the above time-period.
Good luck.
Hey Vlad, no need to apologize. Plugins don’t always work the way we want them to. Actually, as more feedback, I was asked to enter another number after I answered the math question on my last post. Maybe another plugin is verifying that I am not a script since I posted more than 1 time today :)?
But you are right. Sometimes, running a simple index file is the only way around the situation.
It may be Spam Karma, but I am surprised it does it. I will just probably get rid of math plugin- this one time too many that it has caused problems.
Yes, my SK2 also did that. If it’s SK2’s blacklist protection, then under Manage >> Spam Karma 2 >> General Settings, there is something called the snowball effect. I find the default settings to be a bit low. I suggest increasing the X’s:
– On an average you check new comments every X days.
– Trigger when somebody posts more than X comments over the above time-period.
Good luck.
I think Lucia is suggesting a good solution π
But tell me – did you type 'webstie' by accident or on purpose?
I think you've just created a new way to describe one's website π
I think Lucia is suggesting a good solution π
But tell me – did you type ‘webstie’ by accident or on purpose?
I think you’ve just created a new way to describe one’s website π
Lea,
lol no that was not done on purpose, just one of those dyslexic moments π
Darn, and I thought you were being clever π
Lea,
lol no that was not done on purpose, just one of those dyslexic moments π
Darn, and I thought you were being clever π
I'm not sure how much value this will specifically bring to your security. Most attackers aren't going to bother checking to see if you have a compromised plugin installed. They simply amass domain listings of WP installs and use robots to launch the attack against each blog on the list.
That said, I can think of other good reasons to do this anyways, and not only in the plugins folder, but every folder that does not have an explicit index.php file already in it (root & admin).
Also as I like to say, site security is a lot like car alarms. Nothing you do that leaves your site usable can tottaly prevent someone who really wants in from getting in. But there are lots of little things you can do to make it easier to just hit someone else.
@ lucia. Back when I did porn I actually created fake Apach directory list pages. All of the listed images were of course links to rev share programs. π
I’m not sure how much value this will specifically bring to your security. Most attackers aren’t going to bother checking to see if you have a compromised plugin installed. They simply amass domain listings of WP installs and use robots to launch the attack against each blog on the list.
That said, I can think of other good reasons to do this anyways, and not only in the plugins folder, but every folder that does not have an explicit index.php file already in it (root & admin).
Also as I like to say, site security is a lot like car alarms. Nothing you do that leaves your site usable can tottaly prevent someone who really wants in from getting in. But there are lots of little things you can do to make it easier to just hit someone else.
@ lucia. Back when I did porn I actually created fake Apach directory list pages. All of the listed images were of course links to rev share programs. π