This is a very small security tip, but it’s worth the attention. I have been doing this for a while across all my Blogs. I’m also very curious and often try this myself if I want to see the plugins a specific site might be using, and it’s alarming just how many sites/blogs don’t do this, especially some of the larger blogs.
When you install WordPress, it doesn’t block people browsing your directorys without indexes. This means if someone browses to; example.com/wp-content/plugins/ they will be able to see all the plugins you have installed. Same with example.com/wp-content/themes/ .
If you upload any zips, rars of any custom themes/plugins, anyone can potentially access and download them.
This is where it can get sticky, if you use a database backup plugin, such as Lester Chan’s fantastic wp-dbmanager, to backup your database the default location for backups is: example.com/wp-content/db-backup/ and anyone can potentially download your blogs database.
So what can you do to protect your directory’s from prying eyes? It’s incredibly easy, there are tons of methods you could use to do this but I’m just going to mention one, imo the simplest.
If you have changed your permalink structure since installing wordpress you should already have a ‘.htaccess‘ file in your blogs root directory. If not you can create a blank .txt file in notepad , upload to your blogs root and rename to .htaccess (or download the one at the end of this post).
If you have messed with permalinks your .htaccess will look similar to this:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Simply add the following below #END WordPress:
Options -Indexes
Now your .htaccess file will look like this:
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Options -Indexes
Now if anyone trys to view your directory’s they will get a 403 Permission Denied error.You can then modify this, We have ours redirect to the main index.
If you created your own .htaccess all you need is the Options -Indexes in your .htaccess. If your unsure download ours.
For people with no .htaccess (Dont use this if you have changed your permalinks, follow the instructions above.)
5 Responses to “WordPress Security: blocking directory access”
Michael Castilla
Oh interesting method. I’ll look into this for the new version of WPCandy.
Thanks for sharing.
Arpit jacob
A Bit Late but thanks. I put that line in the .htaccess 2 days back. The stupid thing is I had the “Options -Indexes” in my Htaccess its just that I forgot to put it again when I moved hosts :(. Bad Luck I guess. But no worries the theme that got stolen was a old code base.
Carlos
Thanks for the tip!
Matrich
Thanks so much for the tip. I had spent sometime looking for a way of protecting it and I had thought of just changing the rights but that also gave me problems.
I have also browsed many of the blogs I often read and it is really true that most people haven’t protected their blogs.
welove75
@Arpit; that’s very annoying, allthough you have handled it very well.
@Carlos; no problem
@Matrich; Theres lots of ways it can be done, another is placing an index.html/.php in each directory, but the method we posted is much easier.
It is alarming the amount of blogs that either don’t do it or just arn’t aware of it. It might be something WordPress could add to a future release?