Simonne of AllTipsAndTricks.com has posted a helpful tip for WordPress users. By default, the permissions for your WordPress directory are set up in such a way to allow the public viewing access. Like Simonne, I’m not sure what the practicality would be except for those snooping around or those trying to figure out which plugins you have installed in which they can then look for vulnerabilities or exploits in those plugins to hack your site.
The fix is quite simple. You can do one of two things, change the permissions of that directory from 0755 to 0750 or, you can upload a blank index.html file. When I set my plugin folder to 0750, some of my plugins decided to stop working. So I opted for option two. In fact, I added a redirect within my index.html page that redirects the browser to my homepage.
Here is the code I used in my index.html file if you would like to do the same.
UPDATE -Thanks to LGR for adding this in via the comments. You can simply add Options -Indexes to your .htaccess file. This will redirect anyone who is trying to view a folder index to your 404 error page without the need of creating empty index.html files. Thanks again LGR.
8 thoughts on “I See Your WordPress Plugins”
If you are on an Apache server you can disable index browsing with one line in the .htaccess file on the root folder.
This means you don’t have to go around creating blank, orphaned index.html files all over the place and keeps people from snooping in other folders as well. I talk about it on my blog here: Disable Indexes using .htaccess
I used an index.php and included this code:
header( 'Location: http://your-domain.com' ) ;
It’s an alternative to a META refresh.
Thanks for the tip LGR. Worked like a charm and is much simpler than the other methods described above.
Not a problem. It can save some time, especially when there a quite a few folders that need the indexes added. Plus, this also will log a 404 error in your log file, so you will know hat IP address is snooping around.
Thanks for the tip… I just corrected this problem on my blog
No problem, the tip originally came from Simonne with my input added. Thanks for the Stumble submission.
Hmmmm… My host has a default 403 page… Fortunately it goes to that if it can’t find a resource (I’ve added some lines for Apache). Unfortunately though, it’s a horrible page with ads.