Morning!
Last week, I wrote the article Is your WordPress blog naked? which described how the default WordPress installation leaves your /plugins and /themes directory open and just shrieking to be invaded.
Alert reader Crow from the hilariously funny Nicky510 just contacted me this morning with the following shockingly commonsensical observation:
"I just slowly realized something. You wrote how anyone can view your plug-ins unless you do something about it? Well, it occurred to me that they can also view anything at all, assuming they can guess the right subdirectory name. Like "images" or "zips", for instance. Then they get all your stuff at a glance (or a grab). I’m adding blank index.html pages to all my subdirectories."
Let me tell you, it’s amazing what you can find that’s so unsecured online! IS your blog and directories so open as well?
Hmmmm?
If so, fix it now! Another solution is to simply manually add the following line to your .htaccess file:
Options -Indexes
That will take care of any new directories you might create in the future as well.
And if you haven’t done so yet, do swing by Nicky510 – not only are the comics insightfully hysterical, but the newsletter SITIS (stuff I think is nifty, I being the author Crow, not I, being Barbara Ling, writer of this post, because I, Barbara….) is also very engaging as well. It’s definitely something that starts your day off right!
Enjoy,
Barbara Ling
Like this post? Please feel free to tell your friends and Digg It – I very much appreciate your time!
"Hey there, thanks so much for stopping by! If you
enjoyed this article, please do feel free to tell your
friends about it or use those nifty neato social icons
above to spread the word. I love sharing great info,
and would really appreciate it...thanks!"
-- Barbara Ling
Get my free private marketing headsup and hidden discounts!
{ 8 comments… read them below or add one }
Hi Barbara – Thanks for this. Someone had been getting into my blog because they’ve tried to change the password a couple of times. I’ve submitted this to Digg, so that others will get to know about it.
Cath Lawson’s last blog post..How Far Can You Go Before You Bump Your Head?
Thanks so much! Your comment gives me an idea about a followup post – stay tuned for tomorrow!
Thanks for stopping by, Barbara
Barbara Ling, Virtual Coach’s last blog post..Is YOUR wordpress blog open and inviting thieves? Hat tip to Nicky510
Hey, Barbara! This is very useful info for me!
Thanks,
Evelyn
Evelyn Lim | Attraction Mind Map’s last blog post..Face Up To Your 6 Basic Fears
Glad you enjoy it! This week, I’ll be taking that kind of information to the limit…stay tuned!
Thanks for stopping by, Barbara
Barbara Ling, Virtual Coach’s last blog post..Wordpress for iPhone, download now! (PLUS 20 other resources)
Seems obvious after the fact, doesn’t it? Security through obscurity doesn’t work if almost everyone has the same directory structure.
Glenn Palmer’s last blog post..What’s Retirement Mean to You?
I certainly agree with you there!
Thanks for stopping by, Barbara
This is good info that I will pass on to my users as well, however… A good host would have had directory listings turned off by default. Hosts need to learn to secure their servers better even if it makes it harder for the average user to do things. A hardened server will not display a list of files if it is secured properly.
~Phil
Very true.
Thanks for stopping by, Barbara