«
»

WordPress Security Tip

December 30th, 2008

I’ve been catching up on the WordPress Weekly Podcasts lately and while I was listening to one of the first shows I came across a nice security tip. Place empty index.php files in all directories that don’t already have an index file. Directories like the /wp-content/plugins folder could be dangerous in the hands of hackers if one of the plugins you use has a security flaw. By obscuring the folder’s contents you make it just a little harder for hackers to cause you problems.

I went about creating these empty index files on my site, but soon discovered that there are hosts of folders that could use them (think about the date structure in /wp-content/uploads ). Then I remembered another tool. .htaccess. Add this line of code to your .htaccess file to keep file in any directory from being listed (this works on any site who’s server supports .htaccess by the way, not just WordPress blogs).

IndexIgnore *

Really simple, I know, but I thought I’d share it all the same.

Tags: ,

This entry was posted on Tuesday, December 30th, 2008 at 1:46 pm and is filed under WordPress. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “WordPress Security Tip”

  1. Miroslav Glavic Says:
    January 1st, 2009 at 11:08 pm

    what about in the wp-admin folders?

    wp-admin/css folder has no index.php file in it

  2. Will Says:
    January 1st, 2009 at 11:13 pm

    Hi Miroslav,

    Good question. If you look at my wp-admin/css folder you can see that no files are listed.

    http://itsananderson.com/blog/wp-admin/css/

    I didn’t even know that there was no index.php file there until you pointed it out, but the .htaccess trick took care of things for me :)

    Cheers!

  3. Kim Says:
    January 1st, 2009 at 11:31 pm

    Thanks for the tip! There is also another method to accomplish the same thing using .htaccess – add the line Options -Indexes to turn off directory listings completely.

    If someone does try to look at the contents of a directory by going to http://www.domain.tld/foldername/, they are presented with a 403-Forbidden error.

  4. Will Says:
    January 1st, 2009 at 11:38 pm

    Hey Kim,

    You have a good point there. The reason I would still use IndexIgnore though is that it’s just a little bit more friendly (doesn’t contain the word “Error” :) )

    Of course if you were to create a custom error page with something like this in your .htaccess:

    ErrorDocument 403 /errors/forbid.php

    Then you just place a helpful message in /errors/forbid.php. Make sure you actually change the status to 200 as well or browsers like IE and Chrome won’t display the page.

    < ?php
header("HTTP/1.0 200 OK");
?>

    Cheers!

Leave a Reply