WordPress Directory Listing Risk

Networking

Unix and Linux network configuration. Multiple network interfaces. Bridged NICs. High-availability network configurations.

Applications

Reviews of latest Unix and Linux software. Helpful tips for application support admins. Automating application support.

Data

Disk partitioning, filesystems, directories, and files. Volume management, logical volumes, HA filesystems. Backups and disaster recovery.

Monitoring

Distributed server monitoring. Server performance and capacity planning. Monitoring applications, network status and user activity.

Commands & Shells

Cool Unix shell commands and options. Command-line tools and application. Things every Unix sysadmin needs to know.

Home » WordPress

WordPress Directory Listing Risk

Submitted by Igor on June 11, 2009 – 11:36 pm4 Comments

A large number of WordPress directories do not have an index file. This is particularly dangerous in case of the plugins directory. If your server allows directory listings, a potential attacker may see which plugins you have installed. Most plugins have security vulnerabilities. One way of fixing this is by adding the following line to the .htaccess file in the Web server’s root (htdocs):

Options -Indexes

1	Options -Indexes

Another approach is to put an index file in each folder on your site that does not already have one. You can have this index file redirect the visitor back to the main page of your site. Create the /wp-content/index.html with 644 permissions and the following content:

<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.yourdomain.com">

1	<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.yourdomain.com">

Now you can create a link in all directories under wp-content pointing to this index file. Thus, if you need to change this file in the future, you only need to modify one file. The script below will help you create the links from the wp-content directory:

#!/bin/ksh

cd ${HOME}/public_html/wp-content

if [ ! -f index.html ]
then
        echo '<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.yourdomain.com">' > index.html
        chmod 644 index.html
fi

find . -type d | while read dir
do
        if [ `ls "${dir}" | egrep -c "index.html|index.htm"` -eq 0 ]
        then
                ln -s ${HOME}/public_html/wp-content/index.html "${dir}"/index.html
        fi
done

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

#!/bin/ksh

cd ${HOME}/public_html/wp-content

if [ ! -f index.html ]

then

echo '<meta HTTP-EQUIV="REFRESH" content="0; url=http://www.yourdomain.com">' > index.html

chmod 644 index.html

fi

find . -type d | while read dir

do

if [ `ls "${dir}" | egrep -c "index.html|index.htm"` -eq 0 ]

then

ln -s ${HOME}/public_html/wp-content/index.html "${dir}"/index.html

fi

done

stephen m

Say building a folder that has my index file, my php scripts, the works.

Do I need to install a special service so people can connect to my PC?
The Villain

Please help me to describe why the B+ tree structure is batter for the implementation of an indexed sequential file ?
tefa_96

My wordpress blog has been up for like a month.

Any SEO web pros out there have any ideas on how to get a baseball blog up on google? I created my wordpress blog through my hostgator server account, and its on my domains index file.
jag43216

Can anyone help me figure this out? Is there a simple way just by looking at the index file?

Event Log »

Dell Changes Up OpenStack Cloud Plans

In a major announcement from Dell yesterday, the company announced that its public cloud ecosystem and strategy will be centered on partners Joyent, ScaleMatrix and ZeroLag, and will emphasize recent acquisition Enstratius. The announcement represents …

Improving U.S. Weather Prediction With Petascale Supercomputing

Over at the Washington Post, Jason Samenow writes that an infusion of funding into the National Weather Service from Hurricane Sandy relief legislation promises to facilitate massive upgrades to key supercomputers, dramatically improving local, national, …

Your Cloud Provider Is Toast. Now What

Your cloud provider is great. Your cloud provider is cheap. Your cloud provider is out of business.
Now what do you do
If your favorite consumer cloud service goes out of business or simply feels it’s time …

Google and NASA Collaborate on AI Research With New Quantum Supercomputer

Google and NASA have teamed up to launch a new laboratory focused on advancing machine learning. The Quantum Artificial Intelligence Lab — hosted at NASA’s Ames Research Center in California — will contain a quantum …

Best Linux Tools for Enterprise Developers and Systems Administrators

It’s a testament to Linux’s ubiquity and versatility today that so many “best of” lists are published focusing on the free and open source operating system.
Just in the past few months here on Linux.com, for …

More articles »

Networking »

Fixing the mount.nfs: rpc.statd is not running Error

The rpc.statd service is used by NFS client to help it recover from loss of connectivity to the NFS server. When rpc.statd is not running, NFS is not able to handle remote file locking. You …

Red Hat: Changing Hostname and IP

Changing hostname and IP is frequently required when a server is being moved from testing or development to production. The process is a fairly simple one, but steps must be performed in a certain order to avoid complications.

More articles »

Applications »

Install Pflogsumm PostFix Log Summarizer

Pflogsumm is yet another log analyzer/summarizer for Postfix. It is written in Perl and has been around for a while. Very simple to install, so I writing this post mostly as a note to myself. …

Installing Sendmail Analyzer on RHEL/CentOS

The Sendmail Analyzer can be useful for visualizing your Sendmail/Postfix log. The commands below can be copy-pasted as root on default installations of RHEL and CentOS 5/6 with default Postfix and httpd. If your configuration …

More articles »

Data »

Filesystem Performance Testing Using dd

Below is a simple script to test filesystem read/write performance using dd with varying blocksize parameter. This can be useful for testing local filesystems as well as network-mounted filesystems. The end result will be a …

Quick BTRFS Test on OpenSuse 12.2

The recent announcement from Suse Enterprise Linux that Btrfs was production-ready raised some suspicions. The last time I tested btrfs (not very long ago) the primary issues were excessive CPU utilization and filesystem space that seemed to disappear into nowhere. So, as a quick test, I put together an OpenSuse 12.2 (3.4.6-2.10-desktop, OpenSuse 12.2) 64-bit VM (ESX) with one dual-core vCPUs, 4GB RAM, the OS disk and a 6GB striped LVM filesystem consisting of 4 4-GB virtual disks.

More articles »

WordPress Directory Listing Risk

Event Log »

Dell Changes Up OpenStack Cloud Plans

Improving U.S. Weather Prediction With Petascale Supercomputing

Your Cloud Provider Is Toast. Now What

Google and NASA Collaborate on AI Research With New Quantum Supercomputer

Best Linux Tools for Enterprise Developers and Systems Administrators

Networking »

Fixing the mount.nfs: rpc.statd is not running Error

Red Hat: Changing Hostname and IP

Applications »

Install Pflogsumm PostFix Log Summarizer

Installing Sendmail Analyzer on RHEL/CentOS

Data »

Filesystem Performance Testing Using dd

Quick BTRFS Test on OpenSuse 12.2

Monitoring »

openlava Quick Test

Filesystem Performance Testing Using dd

Commands & Shells »

Bash scripting: lists and random things

Fast IP Range Scanner in Bash

Editor

RSS Feeds

Most Commented

Popular Posts