Weblogtoolscollection News » WordPress Tips and Hacks

Server path disclosure in WP themes

  • Topic started 7 years ago
  • 6 posts so far
  • Latest reply from Truden

  1. Server path disclosure is a serious hole jeopardizing your security.

    All theme developers should secure the theme files which are not supposed to be called directly.

    It is very easy to find the path to your theme folder and then just call searchform.php or single.php or any other file which is used as included theme file.
    By doing that you would see something like:

    Fatal error: Call to undefined function: bloginfo() in /var/www/myhost/mysite/docs/wp-content/themes/mytheme/searchform.php on line 2

    If a hacker needs your server path he/she has it.

    Posted: 7 years #
  2. He-he :-)
    I was doing some carpentry when a thought popped up in my mind:
    what if you type in the address bar the path to your theme directory / index.php

    How do we secure theme/index.php???

    Not very clever designed template hook ;)
    Or perhaps that is not a BIG problem and my ignorance is making me wary too much. :(

    Posted: 7 years #
  3. I see that no one takes this problem as a serious security threat and weblogtoolscollection.com is not afraid to show its server path.

    Well, just in case you don't like to be so brave, you can use an .htaccess to cover this hole.
    Put in the file this code:

    <Files "*.php">
    Order allow,deny
    Deny from all
    </Files>

    Upload this .htaccess file in all your theme directories.

    Posted: 7 years #
  4. This depends on the level of error reporting (set by hosting company and/or php.ini). Production sites really should suppress all errors/warnings, so it's a global thing, not just a WP thing

    Posted: 7 years #
  5. Oh, I know that it is a GLOBAL thing, but blogging system like WordPress should take care of its users.
    It is rule: Do all possible to secure your code and software.
    If you can not do it, you must bring it to the attention of your users and I don't understand why news discussing security and anti spam issues are kept silently covered until they disappear in the time???

    Posted: 7 years #
  6. I see that Mark has taken in consideration the server path disclosure and he fixed it in this web site without tempering with the server settings.

    It would be nice of him if he explain to his readers how he did it and what is the risk if you do not do it.

    Posted: 7 years #

RSS feed for this thread

This topic has been closed to new replies.


Back to top

0.126 - 12 queries