Comments on: Holy Plugins Batman!

By: mike

mike — Mon, 06 Aug 2007 16:40:46 +0000

I looked at your robots.txt file and apparently you dont follow your own advice?, you have nothing blocked

By: plugins

plugins — Sun, 22 Jul 2007 21:10:10 +0000

[...] gelezen op Weblog Tools Collection dat er heel wat plugin directories van WordPress zo goed als helemaal openstaan. Openstaan is [...]

By: How To Secure Your WordPress Blog Folder?

How To Secure Your WordPress Blog Folder? — Thu, 12 Jul 2007 16:46:19 +0000

[...] you’re using WordPress for your blog, there is one security issue mentioned in WeblogToolsCollection & [...]

By: How Secure Is Your WordPress Blog? : Cornell Finch

How Secure Is Your WordPress Blog? : Cornell Finch — Sun, 08 Jul 2007 08:52:09 +0000

[...] a post on Mark’s website at Weblog Tools Collection1 I found the Blog Security [...]

By: Wally Wilson

Wally Wilson — Sat, 07 Jul 2007 22:09:15 +0000

Mark,

Thanks for the heads-up. I had blank index.html files every place _except_ my plugins folder. ::slaps palm to forehead::

By: Spammers e vulnerabilidades no wordpress - Marketing de busca

Spammers e vulnerabilidades no wordpress - Marketing de busca — Thu, 05 Jul 2007 22:42:05 +0000

[...] artigo no weblog tools colection lista outras formas mais elaboradas para obter o mesmo efeito. Para mais informação sobre o [...]

By: Otto

Otto — Thu, 05 Jul 2007 14:31:38 +0000

The best way is actually to just put Options -Indexes into the main root .htaccess file. That is enough, you don’t need it in every directory, just the main one. You also don’t need the “All” in the line of code, just turning off indexes will suffice.

As for people not understanding why it’s bad: Consider that plugins are code and can have security flaws. If somebody can see the content of your plugins directory, they can find out the names of your plugins and execute them directly. Then they can go search for exploits for those specific plugins and hack your site that way. Without indexes, they can’t see what plugins you have and don’t know their filenames. So they have to try more generic methods to get in. Plugins, like any code you run on the site, can be a security risk, so hiding them even a little bit is helpful.

By: Lorna

Lorna — Thu, 05 Jul 2007 08:48:07 +0000

May I request that future WordPress distributions have the .htaccess or index.html files built into each folder that needs to be locked down, especially the themes and plugins folders?

By: Bad Bad Bad

Bad Bad Bad — Thu, 05 Jul 2007 05:37:52 +0000

Baris:

That’s not a very good robots.txt

Why in the world would I want to do this?:
Disallow: /*.js$
Disallow: /*.css$
Disallow: /wp-content/
Disallow: /feed/
Disallow: /archives/
Disallow: /sitemap.xml
Disallow: */feed/
Disallow: */trackback/
Disallow: /page/
Disallow: /tag/
Disallow: /category/

That’s not good at all! It blocks about half your blog! Google is able to tell what content is on my site and knows it’s not copied like the guy worries about on his site.

By: What plugins are you using? | Nerdal Network

What plugins are you using? | Nerdal Network — Thu, 05 Jul 2007 02:48:33 +0000

[...] bit about how it seems to be possible to search through Google and view the contents of most WordPress blogs’ plugins directory. The jury is still out on this being a security hole but he offers a few solutions. Missing from [...]

By: WordPress Wednesday News: WordCamp Filling Up Fast, WordPress 2.2.1 Mandatory Upgrade, Hot WordPress Themes and Plugins, WordPress Security, and WordPress Nerds Blog Naked : The Blog Herald

Thu, 05 Jul 2007 00:55:27 +0000

[...] Anyone See Your WordPress Plugin’s Underwear? I’ve talked about this before, but Mark Ghosh of Weblog Tools Collection makes the point even more valid and asks if you are showing off your WordPress Plugins when you [...]

By: Stuff by Sarah » WordPress Site Security

Stuff by Sarah » WordPress Site Security — Wed, 04 Jul 2007 20:03:46 +0000

[...] Wednesday, 4 of July , 2007 at 8:42 pm. No this isn’t a post about a security issue with WordPress but more the naivety of hosting your own WordPress site (or potentially other sites/CMSs) and allowing visible listings of directory contents. The post that explains this further can be found at Web Log Tools Collection. [...]

By: A.J.

A.J. — Wed, 04 Jul 2007 16:03:17 +0000

All I can say is that I was absolutely shocked at the search results. I shouldn’t be because I remember searching for social security numbers and credit card numbers in Google back around 2000 or 2001 just to see what came up and you’d be amazed how many comma delimited files or text files were out there publicly available with all customer and order data from poorly written shopping carts.

By: Jenny

Jenny — Wed, 04 Jul 2007 14:06:01 +0000

I did the index.php thing, but it looks like it’s bad, so…I’ma go ahead and change it to html i guess.

By: Lista dei plugin di Wordpress e spider | ShinRa House

Lista dei plugin di Wordpress e spider | ShinRa House — Wed, 04 Jul 2007 11:44:40 +0000

[...] Weblog Tools Collection segnala un interessante ricerca su Google potenzialmente pericolosa per Wordpress e propone alcune soluzioni al problema. [...]

By: BLOGoree.ro blog » Protejeaza-ti directorul cu pluginuri

BLOGoree.ro blog » Protejeaza-ti directorul cu pluginuri — Wed, 04 Jul 2007 11:11:04 +0000

[...] oamenii din blogosfera, e suficient sa cauti pe Google. Baietii de la Weblog Tools Collection au scris despre acest aspect Ok - toate bune si frumoase, dar de asemenea oricine poate vedea ce pluginuri aveti instalate, [...]

By: WordPress - protejeaza-ti directorul cu pluginuri | Technology Blog @ Cristian Ciofu

Wed, 04 Jul 2007 10:46:41 +0000

[...] baietii de la Weblog Tools Collection au scris despre acest aspect [...]

By: Cody

Cody — Wed, 04 Jul 2007 09:00:13 +0000

Word to the wise: putting an empty index.php file in your /wp-content/plugins folder will mess with your dashboard (see here. Try an index.html file instead, or just do the .htaccess bit.

By: Jonathan

Jonathan — Wed, 04 Jul 2007 05:42:53 +0000

*phew* good catch! Mine was unsecure as well.. *patches it up*

By: efrasiyab

efrasiyab — Wed, 04 Jul 2007 05:08:23 +0000

Here's a another simple solution.