As I was working on the update to my blog theme, I found a security hole that I think has existed for a long time in WordPress. While not incredibly devastating, nor directly tied to “code” within WordPress, it is a hole that is very easy to fix. The concern is more with KNOWING the types of plugins that a particular site has, and then knowing if those plugins have security holes that can be exploited. A quick Google search reveals all sorts of things.
So, first to see if you are vulerable, try going to http://yourblogURLhere/wp-admin/plugins/ and if you see a directory listing of your plugins, you are NOT protected. (If you don’t see a listing, you might have a different path or have protected things already in some other way.) Depending on your server setup, most users can normally only view plugins. However, I would think there may be cases were things could be deleted or modified, but I haven’t heard of such. Just the fact that someone knows what plugins you have is concern enough for me.
To fix, that is easy; just cut, paste, edit and save the following code in a file called “index.htm” and put this file into your plugin directory:
<!DOCTYPE html PUBLIC “-//W3C//DTD XHTML 1.0 Transitional//EN” “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>
<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″ />
<title>Get out of my plugin folder!</title>
<meta http-equiv=”Refresh” content=”0;URL=http://blogURLhere” />
Get out of my plugin folder!
This page will simply redirect users to your main blog URL (be sure you change that text above). This is the LIGHTEST security ever and there are other things you can do to further protect your /wp-admin/* directory.
HTD says: Get secure!