Index of /wp-content/plugins – Google Search: I am not sure what to make of this search but not only are there a lot of self hosted WordPress blogs, too many of them allow their plugin folder to be indexed. I performed this search because I noticed a crawler on a couple of my blogs that was indexing my plugins and that alarmed me a little. I do not allow my plugin folder to be indexed since I consider that too risky. The homepage of the crawler lists various plugins and their propensity in the WordPress Blogosphere. I imagine the crawler browses the plugins folder of each new blog discovered and if that folder can be browsed, it tries to crawl the various plugin php files it is aware of while looking for 404s and empty strings. I stop short of suggesting that everyone protect their plugins folder because if the plugins are written correctly and your server is configured correctly, there should be nothing to worry about. However, since I write or hack most of my own plugins and I am my own worst critic, I choose to protect that folder.
[EDIT] There have been lots of questions on how to protect the plugins folder and here are a few quick and simple answers.
- Add the following to the .htaccess file in your WordPress directory
Options All -Indexes
- Create a new file, call it index.php, leave it completely empty and upload it to your wp-content/plugins directory. [EDIT] It appears that a blank index.php might cause some trouble with the dashboard. You can use a blank index.html instead or opt for the .htaccess solution above.
- Make sure you have warning and error reporting turned to logging only. There are many tutorials to do this properly that are available on the web. If you are on a shared server, ask your host to turn them off if they have not done so already. I am guilty of leaving this turned on because I use this server for debugging at times and I get lazy. This is good security practice for all servers. I love how this option cannot be modified with ini_set on cPanel based servers.
- Refrain from going overboard and restricting/protecting everything. You might end up making your blog invisible to search engines and such.
A couple of people have also asked why this could be bad. My primary reason is that I do not like to air my (dirty) laundry. I would like to stay away from discussing this too much further. If you need clarifications or are concerned for a particular reason or another, please contact me and I will explain further.