WordPress: People can view your Plugin Folder unless you fix!

As I was working on the update to my blog theme, I found a security hole that I think has existed for a long time in WordPress. While not incredibly devastating, nor directly tied to “code” within WordPress, it is a hole that is very easy to fix. The concern is more with KNOWING the types of plugins that a particular site has, and then knowing if those plugins have security holes that can be exploited. A quick Google search reveals all sorts of things.

So, first to see if you are vulerable, try going to http://yourblogURLhere/wp-admin/plugins/ and if you see a directory listing of your plugins, you are NOT protected. (If you don’t see a listing, you might have a different path or have protected things already in some other way.) Depending on your server setup, most users can normally only view plugins. However, I would think there may be cases were things could be deleted or modified, but I haven’t heard of such. Just the fact that someone knows what plugins you have is concern enough for me.

To fix, that is easy; just cut, paste, edit and save the following code in a file called “index.htm” and put this file into your plugin directory:

<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<html xmlns=”http://www.w3.org/1999/xhtml”>
<head>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″ />
<title>Get out of my plugin folder!</title>
<meta http-equiv=”Refresh” content=”0;URL=http://blogURLhere” />
</head>
<body>
Get out of my plugin folder!
</body>
</html>

This page will simply redirect users to your main blog URL (be sure you change that text above). This is the LIGHTEST security ever and there are other things you can do to further protect your /wp-admin/* directory.

HTD says: Get secure!

1 Response

  1. Hey Dud,

     This is really easy and great way to safe our plugins directory.
    Thanks for this great idea

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Other articles of interest

Global Product Review Disclosure

Disclosure: This is a global disclosure for product review articles on HighTechDad. It does not apply to Automobile reviews and there are other exceptions. Therefore, it may or may not be applicable to this particular article. I may have a material connection because I may have received a sample of a product for consideration in preparing to review the product and write this or other content. I was/am not expected to return the item after my review period. All opinions within this and other articles are my own and are typically not subject to the editorial review from any 3rd party. Also, some of the links in the post above may be “affiliate” or “advertising” links. These may be automatically created or placed by me manually. This means if you click on the link and purchase the item (sometimes but not necessarily the product or service being reviewed), I will receive a small affiliate or advertising commission. More information can be found on my About page.

About HighTechDad

Michael Sheehan (“HighTechDad”) is an avid technologist, writer, journalist, content marketer, blogger, tech influencer, social media pundit, loving husband and father of 3 beautiful girls living in the San Francisco Bay Area. This site covers technology, consumer electronics, Parent Tech, SmartHomes, cloud computing, gadgets, software, hardware, parenting “hacks,” and other tips & tricks.

Recent Articles

Explore Categories