Before i start, this was highlighted by Becky at preblogging.com – Thanks Becky, for publicly announcing a security hole on my blog Ah no, it’s good to know these things and good to see people have the courtesy to look out for you and take the time to help you 😀
Basically when you install wordpress, by default, ‘wp-includes’, ‘wp-content’ are left open to everyone.. go ahead.. try it..
Type ‘http://www.blognamehere.com/wp-content‘ and see how many blogs have it unprotected, i’m sure you’ll find a few..
‘wp-admin’ obviously is password protected as that’s how you access your dashboard and write posts etc..
Becky suggests fixing this issue by adding a blank index.html file into each of those folders. Whilst a blank index file does help, it’s not ideal as i could for example, access wp-content/plugins/pluginname and gain some sort of information from that..
Basically, by default, anyone can access any file directly by typing in it’s location as a url.. as wordpress has standard formats (wp-admin, wp-content, wp-includes) it’s actually pretty easy to guess certain plugin locations or probably folders.. so if any of us can access this sort of data, it can obviously be lethal in the wrong hands/minds..
I remembered vaguely reading about this on digg a while back and sure enough after a bit of browsing i came across this article which has 800 diggs. Notice the date; Jan 16th ’07.. i was back from barcelona on the 17th so i must have read it and forgot all about it as i had other stuff to catch up on that week..
Anyway, thanks to Becky reminding me about this, i’ve finally secured my folders 😎 here’s a better way to do things, to maximise security..
- Create a new file called .htaccess, place it in the ‘wp-admin’ folder.
- Add the following code;
AuthName "Example Access Control"
deny from all
allow from xx.xx.xx.xx
allow from xx.xx.xx.xx
- Substitute xx.xx.x….. for your IP address (you can get it here)
- Save and make sure everything is working.
That means nobody but you and no computer but your computer can access any hidden blog details. You can of course edit/remove that .htaccess file via ftp if you’re on holidays or something and need to log in to your blog from a foreign IP.
Alternatively, if that sounds too tricky or you’re constantly on different IP’s, you can add a single line of code to your main .htaccess file;
That will do the same job more or less..
Hope that helps some of you guys.. it’s certainly a flaw in security and i guess you’d be kicking youself if you knew about this and a few weeks/months down the line paid the price by being hacked. So if you didn’t know about this up until now, make sure you get your folders protected..