You don’t have any secrets? No secret nude photos directory? No directory of your plots to take over the universe? No . . . Wordpress plugins that scream “I post paid links?”
Well, remember that there are people who like to report paid links to Google’s snitch service. Some may know enough to load your plugin folder by typing http://yourpaidlinkblog.com/wp-content/plugins/ into their browser.
If they do, will they see a list of all your plugins?
What’s bad about letting Google snitches see this list?
Well, if you’ve got the “wrong” kind of plugin, the snitch may report you to Google for taking paid posts! (And the snitch is probably correct about the paid links. After all, why else have you installed AutoPaidLinkInsertion.php? )
Google may or may not spank your Page Rank for this, but your advertisers would probably prefer Google didn’t know you were selling paid ads. (And hey, who knows? If the word gets out, some advertisers may start checking your plugins folder to figure out if Google is likely to know you are a link farm. Hiding this list could mean more money for you.)
So, maybe you’d like to prevent snoops and snitches from seeing that list of files?
Here are two easy ways to do it:
- Upload an index.html file to wp-content/plugins. This will hide that file list in /wp-content/plugins. However, you may need to repeat this when you upgrade Wordpress. Also, you won’t hide the listing in any other folders. That may not bother you– unless you are storing something you’d rather keep under wraps.
- Add one or two lines to the .htaccess file. Modifying .htaccess in the root directory can keep snoops from viewing listings in every directory on your site. If you think these snoops don’t exist, read Voyeur Heaven, which I discovered while Stumbling. Obviously, people snoop for many reasons including industrial espionage, curiosity, and, a desire to find porn.
How to modify the .htaccess file
Now, visit your web site using ftp. Find the ‘.htaccess’ file; the ‘dot’ in front is important. Now insert these two lines at the end of the file.
#prevent people from viewing directory listings
Options -Indexes
The first line is an optional comment. The second line prevents people from reading the list of all files when a directory that doesn’t include ‘index.php’ or ‘index.html’ file.
Now, save. Then visit your blog to make sure the blog loads. If it doesn’t, fix the .htaccess file immediately.
You’re done!
From now on, no-one can surf google for ‘index.php’ and discover stuff you might not wish them to see. Click to see how well it worked for me. http://money.bigbucksblogger.com/wp-content/plugins/.
Oh dear, just when I thought everything was going fine I find this post which makes me paranoid! I’m going to have to check it out on my own blog now as I’m pretty sure that mine will be exposed by default! Thanks for the tip!
Thanks. good one.
Shame on you for telling the world where I keep my secret stash of top shelf material
Seriously, I had no idea about this vulnerability and I don’t suppose most Wordpress users do. Another little “to do” later today and a helpful tip for us all. Thanks.
Hi, Lucia
Thanks for this tip. My blog has been down twice in the last two months, the second time for three days. I have a lot of (unused) stuff in my plugins directory, that I suppose could give offense. My (unbackedup) theme was destroyed, which I suppose is an index file and therefore not directly vulnerable to hacking the plugins directory.
Anything you have on protecting one’s hacked theme would be great!
@S,
The main way I know to protect a theme is to back it up regularly. If your concern is hackers getting in, you can set up a backup directory and just periodically copy your whole WP folder into that directory. Then, insert an htaccess to keep the contents of that directory private.
If you are worried about your ISP getting weird, you need to back up to your home machine. You’ll definitely want to zip everything if you are doing that.
Thanks Lucia
Very good tips.
Keep up the good work
Cheers
Helio from Sweden
Lucia,
On .htaccess modifications, my (large scale) web host seems to have that blocked for everyone. What I do is send a brief message to support to request the modification to .htaccess. They do it within twelve hours, no problem. If I’ve typed the modification correctly, it always works. Yet when I try to see .htaccess, the file is still blank.
I guess it’s another email to Support to ask them to reproduce for me what’s in the file.
Another simple question Lucia.
Can we exchange links?
I have added you om my blogroll.
Thank you in advance
Helio
@S Peterson: Ask your host if they can set your .htaccess files to be visible.
Strangely, mine are visible if I use Dreamosts WebFTP, but not if I use fetch. I don’t know why. I can usually ask Dreamhost to make it visible in fetch, it stays that way for a while, and then changes back! So, I just fiddle with .htaccess from their WebFTP.
@Helio,
Sorry, but I only link to blogs in languages I can read, which means English, French and Spanish. My father-in-law spoke Swedish when he was little, but even he can only understand a little.
Thank you anyway Lucia
My site is about swedish history.
I have added you anyway, because tips like this is like gold..
Kepp up the good work
Helio
I have another question for you Lucia..
I’m having difficulties to be indexed by Google, any ideas how to get indexed quickly?
What do you think about linksexchange?
Thanks again
Helio
Helio,
We need to get you on topic links. I have too many ideas for comments. I’ll write a post!
That is great solution, Lucia!
But both can be usefull, some hosts do not allow you to touch your .htaccess file.
Yes. If you can’t touch .htaccess, you need another solution. One could be to redirect any attempts to visit the plugin/index folder to the main blog. Your solution is also good.
Awesome. It works!!
What were the parents thinking? Did they read the baby names book wrong….guess they had eyesight problems too.
I know you have Linky Love installed, but surprised you let that one through Lucia
@Maurice.. I sure got a bunch of interesting names through last evening. . .
This week, I’ve been updating plugins. When I hit LLL, I plan to add something to let me review every comment that hit “3″ matching so I can at least see if advertisers are coming back three times. (Usually, they don’t!)
Thanks for this! I was trying to look for a way to keep people from getting to the source images of my nextgen flash galleries, and this works like a charm.
I used the .htaccess method, and it immediately shows a 404 error instead of the list and links to the image files when the gallery folders are directly navigated to