Did you know that by default, the WordPress plugins folder is perfectly visible to anybody with an internet connection?
I don’t know what could be the use of such an information, but who am I to judge? I’m not a hacker after all.
Try to type in your browser http://www.yourdomain.com/wp-content/plugins and tell me what you think.
There are at least two ways of preventing this:
1. Create an empty index.html file and upload it in your plugins directory (tip sent by Pearl from Fresh-Perspectives.net, who also told me about this issue. More tips on WordPress security are available via Online Tech Tips). A very nice implementation of this solution can be seen at JohnCow.com.
2. In your ftp program, change permissions to the plugins folder from 0755 to 0750, thus denying public to be able to read your files. By doing this, curious readers will be shown your 404 page. If you use FireFTP, right-click on the folder, then select Properties, then change the figure in the next window and press OK.
Later update: following Jeff’s comment, I’d like to make an additional note: change only the permissions for the folder itself, not for its content. Otherwise, some of your plugins may not work properly anymore.
One-day-after update: one of our loyal readers, LGR, pointed to a third solution, which is by far the most elegant of all: Disable Indexes using .htaccess. Add a line to your .htaccess file: Option -Indexes, thus preventing browsing folders which don’t have an index file.
Can you guess whose plugins I’ve just seen before writing this post?
Interesting. I’ve now added an index.html which automatically redirects to the homepage. Changing the permissions to 750 actually broke some of my plugins.
I’ve gone ahead and added my index.html to my WP-Content/Themes folder as well.
Thanks Jeff. I changed permissions and my plugins are still OK (at least at first sight 😉 )
okay I need help 🙂 I am not able to change permissions to this folder… I see the box but it wont let me type over! am i missing something? i feel so dumb!
Instead of creating orphaned index.html files it is much easier to add one line in a .htaccess file in the root folder to prevent disable Apaches from returning the default index in the first place. This one line:
will stop everyone from browsing all the folders that don’t have an index.html file. I talk more about it on my blog here: Disable Indexes using .htaccess
I wasn’t able to change permissions to plugins folder so tried adding Options -Indexes and there is a warning at the top of the file saying I am not using utf-8 language file and saving data in utf-8 will give errors! Now I am completely frustrated 🙁 none of the options seems to be working for me! Im going to try their live support!
I protected my WP plugins folder a short while ago after reading Lucia’s post on the same subject at
which also suggested the far neater .htaccess solution outlined by LGR above. If you are making good use of your error pages it’s even better 🙂
LGR, thank you, yours is by far the most elegant solution. And we can take advantage of the error page, as Maurice suggests 😉
Pearl, in FireFTP, in that screen where you are supposed to change the figures, you can un-tick the options “read” and “execute” in the Public group.
No problem. I hope it helps people. It also logs the request as an error so people have a better idea who might be poking around. That can always be useful, because often it is the spammers snooping for a hole.
Yes, LGR, this discussion surely helped me in realizing that we should pay more attention to security.
Awesome. I was wondering about how to do that. I used the index.html thing and got an error in my dashboard, so I think I’ll try the permissions change. 🙂
Hi Jenny, you can also try the solution suggested by LGR in the comments here. It’s the best one.
Awesome. Came across this from Jeffro’s site (http://www.jeffro2pt0.com).
Very useful, since you never know.
Thanks for the heads up!
You are welcome, Mike, I’m glad you found this useful.
I had no idea that my plugins were showing! Thanks for the warning and the solutions.
Ha, ha! You are welcome, Misha.
I forgot about indexes on my site and have it now sorted.
Heres an alternative solution that you can do if you use Cpanel go to Index Manager and then click on public_html and set it to the No indexes option.
You will now be shown a 404 which you can customize if anyone trys to access a directory without an index page.
Hey, Get Camping, thanks for the tip. Too bad Dreamhost doesn’t have cPanel, they use their own software, which is quite different from cPanel. I’ll take a look to see if it works.