Index of /wp-content/plugins – Google Search: I am not sure what to make of this search but not only are there a lot of self hosted WordPress blogs, too many of them allow their plugin folder to be indexed. I performed this search because I noticed a crawler on a couple of my blogs that was indexing my plugins and that alarmed me a little. I do not allow my plugin folder to be indexed since I consider that too risky. The homepage of the crawler lists various plugins and their propensity in the WordPress Blogosphere. I imagine the crawler browses the plugins folder of each new blog discovered and if that folder can be browsed, it tries to crawl the various plugin php files it is aware of while looking for 404s and empty strings. I stop short of suggesting that everyone protect their plugins folder because if the plugins are written correctly and your server is configured correctly, there should be nothing to worry about. However, since I write or hack most of my own plugins and I am my own worst critic, I choose to protect that folder.
[EDIT] There have been lots of questions on how to protect the plugins folder and here are a few quick and simple answers.
- Add the following to the .htaccess file in your WordPress directory
Options All -Indexes - Create a new file, call it index.php, leave it completely empty and upload it to your wp-content/plugins directory. [EDIT] It appears that a blank index.php might cause some trouble with the dashboard. You can use a blank index.html instead or opt for the .htaccess solution above.
- Make sure you have warning and error reporting turned to logging only. There are many tutorials to do this properly that are available on the web. If you are on a shared server, ask your host to turn them off if they have not done so already. I am guilty of leaving this turned on because I use this server for debugging at times and I get lazy. This is good security practice for all servers. I love how this option cannot be modified with ini_set on cPanel based servers.
- Refrain from going overboard and restricting/protecting everything. You might end up making your blog invisible to search engines and such.
A couple of people have also asked why this could be bad. My primary reason is that I do not like to air my (dirty) laundry. I would like to stay away from discussing this too much further. If you need clarifications or are concerned for a particular reason or another, please contact me and I will explain further.
How do you protect your /wp-content/plugins, Mark? .htaccess or an index.php file?
time for the default zip file to include a htaccess file that will prevent bots from crawling the plugin folder.
you need to disable automatic indexing in your host’s control panel, or restrict the directory using .htaccess, or both. wordpress can’t do it for you. the scanning was probably coming from this: http://blogsecurity.net/wordpress/article-300606/
I use the robots.txt file, with the instructions of Turkhitbox:
http://www.turkhitbox.com/word.....press.html
I don’t know if it has side effects, but see:
http://www.google.com/search?h.....tnG=Search
It works fine with the thing mentioned above 🙂
Not being a programmer myself, I don’t understand why this matters. Is it because if these pages are indexed, people can search according to code strings that are exploitative?
I for one would be very nervous, if my plugin folder was indexed. Find one exploit for one plugin, and every indexed blog with that plugin installed is unsafe – and why help those who want to exploit these weaknesses?
So what should we exactly do to protect the plug-ins folder?
Geoff, I wanted to research all possibilities before I wrote the post on protection. Expect one soon.
Adam, that is not the place, I refrained from posting about it.
Fair enough, Mark. I’ll be interested to see your results. 😀
Where do you put the robots.txt file?
In the first four pages of results all I see is “eventcalendar3” and “podpress” plugins.
I look forward to the post on “protection”!
I puts a empty file index.php into wp-content/plugins/
Adam, this had nothing to do with BlogSecurity.net. The results in the article you mentioned are the results of bloggers who have used our tool to scan themselves, it is a free service we provide.
I was horrified to discover a similar problem when I moved host. You need to add:
Options -Indexes
to your .htaccess file.
robots.txt files are going to stop spiders. but you still need to lock down those directories wp-content/plugins, wp-content/themes and wp-includes. i would recommend the index.php from wp-content/ as not everyone will be able to use the local .htaccess files.
I put:
Options All -Indexesin my .htaccess for each WordPress directory.
OMG! We don’t even know what we’re worried about! Nobody has said why it matters, and yet everyone seems kinda freaky about this. Somebody please explain why this matters.
Blimey.
I had no idea my home-made .htaccess file was letting this through.
Thankyou so much!
Directed to Michael Martine:
Before you get your panties in a wad…
Read the following analogy:
You want people to notice your fine Italian suit, but someone finds out what type of whitey-tighties you’re wearing. Now it’s open season as to the type of wedgie you’ll be receiving.
Like Rasmus stated earlier in this thread…
I for one would be very nervous, if my plugin folder was indexed. Find one exploit for one plugin, and every indexed blog with that plugin installed is unsafe – and why help those who want to exploit these weaknesses?
Some folks like to show off their plug-ins (ironically there are plug-ins for this!), others would like to keep it private… especially those who monetize their sites.
Thanks for the explanation, BigNerd. I was hoping somebody would know. The whole gist of my comment was that everybody else’s panties were in a bunch, not mine! 😉
I posted a more involved explanation as to why you should use -Indexes on my blog. Basically it comes down to the fact that it’s really a giant security risk.
Thank you for pointing this out. I had completely overlooked such a security issue.
Here‘s a another simple solution.
*phew* good catch! Mine was unsecure as well.. *patches it up*
Word to the wise: putting an empty index.php file in your /wp-content/plugins folder will mess with your dashboard (see here. Try an index.html file instead, or just do the .htaccess bit.
I did the index.php thing, but it looks like it’s bad, so…I’ma go ahead and change it to html i guess.
All I can say is that I was absolutely shocked at the search results. I shouldn’t be because I remember searching for social security numbers and credit card numbers in Google back around 2000 or 2001 just to see what came up and you’d be amazed how many comma delimited files or text files were out there publicly available with all customer and order data from poorly written shopping carts.
Baris:
That’s not a very good robots.txt
Why in the world would I want to do this?:
Disallow: /*.js$
Disallow: /*.css$
Disallow: /wp-content/
Disallow: /feed/
Disallow: /archives/
Disallow: /sitemap.xml
Disallow: */feed/
Disallow: */trackback/
Disallow: /page/
Disallow: /tag/
Disallow: /category/
That’s not good at all! It blocks about half your blog! Google is able to tell what content is on my site and knows it’s not copied like the guy worries about on his site.
May I request that future WordPress distributions have the .htaccess or index.html files built into each folder that needs to be locked down, especially the themes and plugins folders?
The best way is actually to just put
Options -Indexesinto the main root .htaccess file. That is enough, you don’t need it in every directory, just the main one. You also don’t need the “All” in the line of code, just turning off indexes will suffice.As for people not understanding why it’s bad: Consider that plugins are code and can have security flaws. If somebody can see the content of your plugins directory, they can find out the names of your plugins and execute them directly. Then they can go search for exploits for those specific plugins and hack your site that way. Without indexes, they can’t see what plugins you have and don’t know their filenames. So they have to try more generic methods to get in. Plugins, like any code you run on the site, can be a security risk, so hiding them even a little bit is helpful.
Mark,
Thanks for the heads-up. I had blank index.html files every place _except_ my plugins folder. ::slaps palm to forehead::
I looked at your robots.txt file and apparently you dont follow your own advice?, you have nothing blocked