How to Protect Your WordPress Folders with Index File
January 26, 2008 by Gurmit BalWordPress is an excellent free open source software that you can use to publish your blog or website. As may be expected with any free software as popular as WordPress, there are always concerns that security of your WordPress installation may be comprised. While 100% security of any software is not practical or feasible, here is an easy step that even a novice can take to protect the contents of their WordPress folders from prying eyes.
How to Protect Your WordPress Folders with Index File
This is the easiest step that anybody, including a beginner, can take; yet I find a lot of websites that fail to take this simple precaution to protect the contents of folder from prying eyes. For example, all WordPress installations have a folder named plugins where you install various plugins to enhance the functionality of WordPress. Many installations leave this folder unprotected. In such installations, if you (or a hacker) were to direct your browser to
http://SomesiteWithUnprotectedPluginsFolder.com/wp-content/plugins you will see ALL the contents of this folder as shown in the image below:
This happens because when there is no index file (such as index.php, index.htm, index.html etc.) in a folder, the web server displays all the contents of that folder unless that folder is protected. Thus a hacker will readily know what plugins have been installed on that site and may start working on a vulnerable plugin. If you have not protected your plugins folder, it’s highly recommended that you do so. Simply follow these steps:
- Create a simple html file using any text editor such as notepad or whatever text editor you usually use and save it as index.htm. If you don’t know how to create an html file, you can copy the sample below starting from top <html> tag to the bottom </html> tag:
<html>
<head>
<meta http-equiv=”Content-Language” content=”en-us”>
<meta http-equiv=”Content-Type” content=”text/html; charset=utf-8″>
<title>Helpful Page</title>
</head>
<body>
<p><b>Hello:</b><br />We couldn’t find anything here! Click <a href=”http://www.ihowsite.com”>i How Site</a> to go our home page and try finding it there.</p>
</body>
</html>
In the above sample you should replace ihowsite.com with your own domain otherwise anybody who clicks will end up on my site; not that I mind it :-) - Once you have created this html file, upload it (using ftp or through control panel; whatever you usually use to upload your files to your web server) to the WordPress plugins folder. If you installed your WordPress in your root directory then the path will be /public_html/wp-content/plugins
- Once you have uploaded the file, point your browser to the plugins folder and you should no longer see all the contents. Instead you (or the hacker) will see the html file you created and uploaded. Click http://ihowsite.com/wp-content/plugins to see the above sample file in action at this site.
- If you have created other folders on your blog or website (for example, you might have created an images folder) which do not have an index file, you can upload the same html file you created above to those folders and server will no longer display all the contents of those folders to the public. Instead the server will only display the html file.
It is important to remember that the above procedure is not foolproof; it’s still possible to figure out the contents of your folders. No procedure is 100% foolproof, the above procedure just makes it harder for people to figure out the contents of your folders. If somebody is bent upon hacking your site, they probably will find a way. But that’s no reason why you should not take steps such as above to protect yourself as much as possible.
NOTE: It’s also possible to protect your folders through control panel. I’ll write about that some other time. The procedure outlined above is the simplest to implement.
