WordPress Site Security

No this isn’t a post about a security issue with WordPress but more the naivety of hosting your own WordPress site (or potentially other sites/CMSs) and allowing visible listings of directory contents. The post that explains this further can be found at Web Log Tools Collection.

Simply put, if visitors can view the directory listing of WordPress plugins (or which ever CMS/Blog platform you’re using) then they could determine whether any of your plugins have an exploit and could try it out on your site, potentially causing a major security risk. Whilst we all would prefer to not have any security holes in our site or plugins, by using third party software and addons you take that risk as you’ve not created nor checked it yourself. Also most plugins are often updated but plenty of people don’t upgrade their plugins once they’ve got them installed and running. I believe there’s a popular request on the next version of WordPress to have a plugin update checker or automated upgraded. That would be pretty handy.

So anyhow, I recommend that if you don’t have directory listings forbidden on your website I’d recommend you have a read of the post and at least put a blank index.html file into each directory that could be viewed and compromised, or add the line suggested into the htaccess file.

I’ll admit I was naive to this and am now updating all my sites!!

You may also like...

2 Responses

  1. Will says:

    After reading this, I just thought I should check my plugins directory. Just as well because it was just listing the directory contents!

    Why the heck don’t the directories have a default web page?!

    Anyway, thanks for the heads up!

  2. Sarah says:

    Hey Will, it did make me wonder about not having a blank index file in there, even phpBB has those!