post-page

Holy Plugins Batman!

44
responses
by
 
on
July 3rd, 2007
in
Blogging, WordPress, WordPress Plugins

Index of /wp-content/plugins – Google Search: I am not sure what to make of this search but not only are there a lot of self hosted WordPress blogs, too many of them allow their plugin folder to be indexed. I performed this search because I noticed a crawler on a couple of my blogs that was indexing my plugins and that alarmed me a little. I do not allow my plugin folder to be indexed since I consider that too risky. The homepage of the crawler lists various plugins and their propensity in the WordPress Blogosphere. I imagine the crawler browses the plugins folder of each new blog discovered and if that folder can be browsed, it tries to crawl the various plugin php files it is aware of while looking for 404s and empty strings. I stop short of suggesting that everyone protect their plugins folder because if the plugins are written correctly and your server is configured correctly, there should be nothing to worry about. However, since I write or hack most of my own plugins and I am my own worst critic, I choose to protect that folder.

[EDIT] There have been lots of questions on how to protect the plugins folder and here are a few quick and simple answers.

  • Add the following to the .htaccess file in your WordPress directory

    Options All -Indexes

  • Create a new file, call it index.php, leave it completely empty and upload it to your wp-content/plugins directory. [EDIT] It appears that a blank index.php might cause some trouble with the dashboard. You can use a blank index.html instead or opt for the .htaccess solution above.
  • Make sure you have warning and error reporting turned to logging only. There are many tutorials to do this properly that are available on the web. If you are on a shared server, ask your host to turn them off if they have not done so already. I am guilty of leaving this turned on because I use this server for debugging at times and I get lazy. This is good security practice for all servers. I love how this option cannot be modified with ini_set on cPanel based servers.
  • Refrain from going overboard and restricting/protecting everything. You might end up making your blog invisible to search engines and such.

A couple of people have also asked why this could be bad. My primary reason is that I do not like to air my (dirty) laundry. I would like to stay away from discussing this too much further. If you need clarifications or are concerned for a particular reason or another, please contact me and I will explain further.

heading
44
Responses

 

Comments

  1. Geof F. Morris (13 comments.) says:

    How do you protect your /wp-content/plugins, Mark? .htaccess or an index.php file?

  2. GaMerZ (1 comments.) says:

    time for the default zip file to include a htaccess file that will prevent bots from crawling the plugin folder.

  3. adam (39 comments.) says:

    you need to disable automatic indexing in your host’s control panel, or restrict the directory using .htaccess, or both. wordpress can’t do it for you. the scanning was probably coming from this: http://blogsecurity.net/wordpress/article-300606/

  4. Baris Unver (17 comments.) says:

    I use the robots.txt file, with the instructions of Turkhitbox:
    http://www.turkhitbox.com/word.....press.html

    User-agent: Googlebot

    Disallow: /wp-content/
    Disallow: /trackback/
    Disallow: /wp-admin/
    Disallow: /feed/
    Disallow: /archives/
    Disallow: /sitemap.xml
    Disallow: /index.php
    Disallow: /*?
    Disallow: /*.php$
    Disallow: /*.js$
    Disallow: /*.inc$
    Disallow: /*.css$
    Disallow: */feed/
    Disallow: */trackback/
    Disallow: /page/
    Disallow: /tag/
    Disallow: /category/

    User-agent: Googlebot-Image
    Disallow: /wp-includes/

    User-agent: Mediapartners-Google*
    Disallow:

    User-agent: ia_archiver
    Disallow: /

    User-agent: duggmirror
    Disallow: /

    I don’t know if it has side effects, but see:
    http://www.google.com/search?h.....tnG=Search
    It works fine with the thing mentioned above :)

  5. Michael Martine (8 comments.) says:

    Not being a programmer myself, I don’t understand why this matters. Is it because if these pages are indexed, people can search according to code strings that are exploitative?

  6. Rasmus (10 comments.) says:

    I for one would be very nervous, if my plugin folder was indexed. Find one exploit for one plugin, and every indexed blog with that plugin installed is unsafe – and why help those who want to exploit these weaknesses?

  7. Daniel Condurachi (9 comments.) says:

    So what should we exactly do to protect the plug-ins folder?

  8. Mark Ghosh (386 comments.) says:

    Geoff, I wanted to research all possibilities before I wrote the post on protection. Expect one soon.
    Adam, that is not the place, I refrained from posting about it.

  9. Geof F. Morris (13 comments.) says:

    Fair enough, Mark. I’ll be interested to see your results. :D

  10. Wayne Price says:

    Where do you put the robots.txt file?

  11. Collin (6 comments.) says:

    In the first four pages of results all I see is “eventcalendar3″ and “podpress” plugins.

    I look forward to the post on “protection”!

  12. Angelfire (9 comments.) says:

    I puts a empty file index.php into wp-content/plugins/

  13. David Kierznowski (1 comments.) says:

    Adam, this had nothing to do with BlogSecurity.net. The results in the article you mentioned are the results of bloggers who have used our tool to scan themselves, it is a free service we provide.

  14. Dave McAleavy (1 comments.) says:

    I was horrified to discover a similar problem when I moved host. You need to add:

    Options -Indexes

    to your .htaccess file.

  15. booyaa (1 comments.) says:

    robots.txt files are going to stop spiders. but you still need to lock down those directories wp-content/plugins, wp-content/themes and wp-includes. i would recommend the index.php from wp-content/ as not everyone will be able to use the local .htaccess files.

  16. Laundro (5 comments.) says:

    I put:
    Options All -Indexes
    in my .htaccess for each WordPress directory.

  17. Michael Martine (8 comments.) says:

    OMG! We don’t even know what we’re worried about! Nobody has said why it matters, and yet everyone seems kinda freaky about this. Somebody please explain why this matters.

  18. Nathan Chapman (1 comments.) says:

    Blimey.
    I had no idea my home-made .htaccess file was letting this through.

    Thankyou so much!

  19. BigNerd (4 comments.) says:

    Directed to Michael Martine:

    Before you get your panties in a wad…

    Read the following analogy:

    You want people to notice your fine Italian suit, but someone finds out what type of whitey-tighties you’re wearing. Now it’s open season as to the type of wedgie you’ll be receiving.

    Like Rasmus stated earlier in this thread…
    I for one would be very nervous, if my plugin folder was indexed. Find one exploit for one plugin, and every indexed blog with that plugin installed is unsafe – and why help those who want to exploit these weaknesses?

    Some folks like to show off their plug-ins (ironically there are plug-ins for this!), others would like to keep it private… especially those who monetize their sites.

  20. Michael Martine (8 comments.) says:

    Thanks for the explanation, BigNerd. I was hoping somebody would know. The whole gist of my comment was that everybody else’s panties were in a bunch, not mine! ;)

  21. DaiTengu (1 comments.) says:

    I posted a more involved explanation as to why you should use -Indexes on my blog. Basically it comes down to the fact that it’s really a giant security risk.

  22. Foehammer (1 comments.) says:

    Thank you for pointing this out. I had completely overlooked such a security issue.

  23. efrasiyab (1 comments.) says:

    Here‘s a another simple solution.

  24. Jonathan (83 comments.) says:

    *phew* good catch! Mine was unsecure as well.. *patches it up*

  25. Cody (21 comments.) says:

    Word to the wise: putting an empty index.php file in your /wp-content/plugins folder will mess with your dashboard (see here. Try an index.html file instead, or just do the .htaccess bit.

  26. Jenny (24 comments.) says:

    I did the index.php thing, but it looks like it’s bad, so…I’ma go ahead and change it to html i guess.

  27. A.J. (3 comments.) says:

    All I can say is that I was absolutely shocked at the search results. I shouldn’t be because I remember searching for social security numbers and credit card numbers in Google back around 2000 or 2001 just to see what came up and you’d be amazed how many comma delimited files or text files were out there publicly available with all customer and order data from poorly written shopping carts.

  28. Bad Bad Bad says:

    Baris:

    That’s not a very good robots.txt

    Why in the world would I want to do this?:
    Disallow: /*.js$
    Disallow: /*.css$
    Disallow: /wp-content/
    Disallow: /feed/
    Disallow: /archives/
    Disallow: /sitemap.xml
    Disallow: */feed/
    Disallow: */trackback/
    Disallow: /page/
    Disallow: /tag/
    Disallow: /category/

    That’s not good at all! It blocks about half your blog! Google is able to tell what content is on my site and knows it’s not copied like the guy worries about on his site.

  29. Lorna (4 comments.) says:

    May I request that future WordPress distributions have the .htaccess or index.html files built into each folder that needs to be locked down, especially the themes and plugins folders?

  30. Otto (215 comments.) says:

    The best way is actually to just put Options -Indexes into the main root .htaccess file. That is enough, you don’t need it in every directory, just the main one. You also don’t need the “All” in the line of code, just turning off indexes will suffice.

    As for people not understanding why it’s bad: Consider that plugins are code and can have security flaws. If somebody can see the content of your plugins directory, they can find out the names of your plugins and execute them directly. Then they can go search for exploits for those specific plugins and hack your site that way. Without indexes, they can’t see what plugins you have and don’t know their filenames. So they have to try more generic methods to get in. Plugins, like any code you run on the site, can be a security risk, so hiding them even a little bit is helpful.

  31. Wally Wilson (1 comments.) says:

    Mark,

    Thanks for the heads-up. I had blank index.html files every place _except_ my plugins folder. ::slaps palm to forehead::

  32. mike (1 comments.) says:

    I looked at your robots.txt file and apparently you dont follow your own advice?, you have nothing blocked



Trackbacks/Pingbacks

  1. [...] This is a expansion on marks article today on weblog tools collection: [...]

  2. [...] WordPress users who logged into their control panel saw the link to Holy Plugins Batman! today. The gist of the story is that there’s an ungodly amount of indexed wordpress plugin [...]

  3. [...] baietii de la Weblog Tools Collection au scris despre acest aspect [...]

  4. [...] oamenii din blogosfera, e suficient sa cauti pe Google. Baietii de la Weblog Tools Collection au scris despre acest aspect Ok – toate bune si frumoase, dar de asemenea oricine poate vedea ce pluginuri aveti instalate, [...]

  5. [...] Weblog Tools Collection segnala un interessante ricerca su Google potenzialmente pericolosa per WordPress e propone alcune soluzioni al problema. [...]

  6. [...] Wednesday, 4 of July , 2007 at 8:42 pm. No this isn’t a post about a security issue with WordPress but more the naivety of hosting your own WordPress site (or potentially other sites/CMSs) and allowing visible listings of directory contents. The post that explains this further can be found at Web Log Tools Collection. [...]

  7. [...] Anyone See Your WordPress Plugin’s Underwear? I’ve talked about this before, but Mark Ghosh of Weblog Tools Collection makes the point even more valid and asks if you are showing off your WordPress Plugins when you [...]

  8. [...] bit about how it seems to be possible to search through Google and view the contents of most WordPress blogs’ plugins directory. The jury is still out on this being a security hole but he offers a few solutions.  Missing from [...]

  9. [...] artigo no weblog tools colection lista outras formas mais elaboradas para obter o mesmo efeito. Para mais informação sobre o [...]

  10. [...] a post on Mark’s website at Weblog Tools Collection1 I found the Blog Security [...]

  11. [...] you’re using WordPress for your blog, there is one security issue mentioned in WeblogToolsCollection & [...]

  12. plugins says:

    [...] gelezen op Weblog Tools Collection dat er heel wat plugin directories van WordPress zo goed als helemaal openstaan. Openstaan is [...]

Obviously Powered by WordPress. © 2003-2013

page counter
css.php