44
Responses
Comments
Trackbacks/Pingbacks
-
[…] This is a expansion on marks article today on weblog tools collection: […]
-
[…] WordPress users who logged into their control panel saw the link to Holy Plugins Batman! today. The gist of the story is that there’s an ungodly amount of indexed wordpress plugin […]
-
[…] baietii de la Weblog Tools Collection au scris despre acest aspect […]
-
[…] oamenii din blogosfera, e suficient sa cauti pe Google. Baietii de la Weblog Tools Collection au scris despre acest aspect Ok – toate bune si frumoase, dar de asemenea oricine poate vedea ce pluginuri aveti instalate, […]
-
[…] Weblog Tools Collection segnala un interessante ricerca su Google potenzialmente pericolosa per WordPress e propone alcune soluzioni al problema. […]
-
[…] Wednesday, 4 of July , 2007 at 8:42 pm. No this isn’t a post about a security issue with WordPress but more the naivety of hosting your own WordPress site (or potentially other sites/CMSs) and allowing visible listings of directory contents. The post that explains this further can be found at Web Log Tools Collection. […]
-
[…] Anyone See Your WordPress Plugin’s Underwear? I’ve talked about this before, but Mark Ghosh of Weblog Tools Collection makes the point even more valid and asks if you are showing off your WordPress Plugins when you […]
-
[…] bit about how it seems to be possible to search through Google and view the contents of most WordPress blogs’ plugins directory. The jury is still out on this being a security hole but he offers a few solutions. Missing from […]
-
[…] artigo no weblog tools colection lista outras formas mais elaboradas para obter o mesmo efeito. Para mais informação sobre o […]
-
[…] a post on Mark’s website at Weblog Tools Collection1 I found the Blog Security […]
-
[…] you’re using WordPress for your blog, there is one security issue mentioned in WeblogToolsCollection & […]
-
[…] gelezen op Weblog Tools Collection dat er heel wat plugin directories van WordPress zo goed als helemaal openstaan. Openstaan is […]
Translate This Page
About the Author
- Mark Ghosh
An avid fan of business, education, technology and finance. I lead a lean, highly focussed and capable team of Java Back End developers and Front End developers through a maze of complex software wizardry to fulfill the web maintenance needs of a large chemical manufacturer. As per Myers-Briggs Personality Types, I am an ESTJ. I pride in a project completed on time and according to plan. My hobbies include all kinds of technology, anything that I can taste and anything that goes fast or flies in the air. I like to read business books and comics in my spare time.
Categories
- bbpress
- Best of WordPress
- Blog Templates Blog Skins Blog Themes
- Blogging
- Blogging Essays
- Blogging News
- brainstorming
- buddypress
- Business of Blogging
- CMS
- Code
- Cold Fusion
- Community Interviews
- Cool Scripts
- General
- HOW-TO
- LinkyLoo
- Movable Type Plugins
- Photolog Script
- Podcasting
- QuickLinking
- Spam
- SXSW
- TLA
- Tutorials
- User Reviews
- Web Design
- Web Ethics
- Weblog Add-Ons
- Weblog tools blog tools blogging tools
- Weekly Plugin Review
- WLTC Community
- wordcamp
- WordPress
- WordPress Discussions
- WordPress FAQs
- Wordpress for Beginners
- WordPress Hack
- WordPress News
- WordPress Plugin Competition
- WordPress Plugins
- WordPress Polls
- WordPress Security
- WordPress Templates WordPress Skins WordPress Themes
- WordPress Tips
- WordPress Tools
- WordPress Troubleshooting
- WordPress Weekly
- WordPress Widgets
- WordPress WishList
- XHTML Tips
Obviously Powered by WordPress. © 2003-2013
How do you protect your /wp-content/plugins, Mark? .htaccess or an index.php file?
time for the default zip file to include a htaccess file that will prevent bots from crawling the plugin folder.
you need to disable automatic indexing in your host’s control panel, or restrict the directory using .htaccess, or both. wordpress can’t do it for you. the scanning was probably coming from this: http://blogsecurity.net/wordpress/article-300606/
I use the robots.txt file, with the instructions of Turkhitbox:
http://www.turkhitbox.com/word.....press.html
I don’t know if it has side effects, but see:
http://www.google.com/search?h.....tnG=Search
It works fine with the thing mentioned above
Not being a programmer myself, I don’t understand why this matters. Is it because if these pages are indexed, people can search according to code strings that are exploitative?
I for one would be very nervous, if my plugin folder was indexed. Find one exploit for one plugin, and every indexed blog with that plugin installed is unsafe – and why help those who want to exploit these weaknesses?
So what should we exactly do to protect the plug-ins folder?
Geoff, I wanted to research all possibilities before I wrote the post on protection. Expect one soon.
Adam, that is not the place, I refrained from posting about it.
Fair enough, Mark. I’ll be interested to see your results.
Where do you put the robots.txt file?
In the first four pages of results all I see is “eventcalendar3″ and “podpress” plugins.
I look forward to the post on “protection”!
I puts a empty file index.php into wp-content/plugins/
Adam, this had nothing to do with BlogSecurity.net. The results in the article you mentioned are the results of bloggers who have used our tool to scan themselves, it is a free service we provide.
I was horrified to discover a similar problem when I moved host. You need to add:
Options -Indexes
to your .htaccess file.
robots.txt files are going to stop spiders. but you still need to lock down those directories wp-content/plugins, wp-content/themes and wp-includes. i would recommend the index.php from wp-content/ as not everyone will be able to use the local .htaccess files.
I put:
Options All -Indexesin my .htaccess for each WordPress directory.
OMG! We don’t even know what we’re worried about! Nobody has said why it matters, and yet everyone seems kinda freaky about this. Somebody please explain why this matters.
Blimey.
I had no idea my home-made .htaccess file was letting this through.
Thankyou so much!
Directed to Michael Martine:
Before you get your panties in a wad…
Read the following analogy:
You want people to notice your fine Italian suit, but someone finds out what type of whitey-tighties you’re wearing. Now it’s open season as to the type of wedgie you’ll be receiving.
Like Rasmus stated earlier in this thread…
I for one would be very nervous, if my plugin folder was indexed. Find one exploit for one plugin, and every indexed blog with that plugin installed is unsafe – and why help those who want to exploit these weaknesses?
Some folks like to show off their plug-ins (ironically there are plug-ins for this!), others would like to keep it private… especially those who monetize their sites.
Thanks for the explanation, BigNerd. I was hoping somebody would know. The whole gist of my comment was that everybody else’s panties were in a bunch, not mine!
I posted a more involved explanation as to why you should use -Indexes on my blog. Basically it comes down to the fact that it’s really a giant security risk.
Thank you for pointing this out. I had completely overlooked such a security issue.
Here‘s a another simple solution.
*phew* good catch! Mine was unsecure as well.. *patches it up*
Word to the wise: putting an empty index.php file in your /wp-content/plugins folder will mess with your dashboard (see here. Try an index.html file instead, or just do the .htaccess bit.
I did the index.php thing, but it looks like it’s bad, so…I’ma go ahead and change it to html i guess.
All I can say is that I was absolutely shocked at the search results. I shouldn’t be because I remember searching for social security numbers and credit card numbers in Google back around 2000 or 2001 just to see what came up and you’d be amazed how many comma delimited files or text files were out there publicly available with all customer and order data from poorly written shopping carts.
Baris:
That’s not a very good robots.txt
Why in the world would I want to do this?:
Disallow: /*.js$
Disallow: /*.css$
Disallow: /wp-content/
Disallow: /feed/
Disallow: /archives/
Disallow: /sitemap.xml
Disallow: */feed/
Disallow: */trackback/
Disallow: /page/
Disallow: /tag/
Disallow: /category/
That’s not good at all! It blocks about half your blog! Google is able to tell what content is on my site and knows it’s not copied like the guy worries about on his site.
May I request that future WordPress distributions have the .htaccess or index.html files built into each folder that needs to be locked down, especially the themes and plugins folders?
The best way is actually to just put
Options -Indexesinto the main root .htaccess file. That is enough, you don’t need it in every directory, just the main one. You also don’t need the “All” in the line of code, just turning off indexes will suffice.As for people not understanding why it’s bad: Consider that plugins are code and can have security flaws. If somebody can see the content of your plugins directory, they can find out the names of your plugins and execute them directly. Then they can go search for exploits for those specific plugins and hack your site that way. Without indexes, they can’t see what plugins you have and don’t know their filenames. So they have to try more generic methods to get in. Plugins, like any code you run on the site, can be a security risk, so hiding them even a little bit is helpful.
Mark,
Thanks for the heads-up. I had blank index.html files every place _except_ my plugins folder. ::slaps palm to forehead::
I looked at your robots.txt file and apparently you dont follow your own advice?, you have nothing blocked