Hiding the plugins directory from public

  • I noticed a lot of accesses to wp-content/plugins in my apache logs, and sure enough, this directory is browsable to the world.

    Is this a security problem? It doesn’t exactly make me feel warm and cozy.

    Putting a .htaccess here is going to confuse a lot of plugins, I expect.

    I protected it sort of by placing an index.html file in that dir, but that won’t prevent direct access to plugins for people who know the path.

    What’s the right solution?

    Thanks.

Viewing 14 replies - 1 through 14 (of 14 total)

  • You’re probably just seeing the traffic – if plugins are used on your site, they are called when someone uses your site/feature.
    Only a logged in admin can see the actual plugins in admin. Everyone else is redirected to the login/subscribe page.

    Only a logged in admin can see the actual plugins in admin

    While that’s true, the OP’s concern is this:
    https://comeuphither.com/blog/wp-content/plugins/

    Ahh – I see – thanks Moshu.
    I provide a much easier link on my site, though. :>)
    https://www.comeuphither.com/plugins

    Can’t you stop this by using an index.php file in there with whatever you choose to use for a message?

    And in fact, I just tried it, it works fine…. I think from remembering another program I use, you can do this with “order allow, deny from all” in htaccess as well (but I’m better with php files….)

    Why not just put a default index.php page in any directory you don’t want someone to be able to browse?

    In that page, put a header redirect back to your main entrance page?

    Then, when someone tries to browse a directory, they instead are directed to your main site? For a single site, all you have to do is make 1 page, then upload it wherever you want to use it.

    Of course, don’t upload it where you don’t need it, and overwirte an existing index page. For example, uploading a redirect page like this by accident to say… your root publich html directory would be bad. But, when used in directories where an index page doesn’t exist by default, works out great.

    Yup, that’s a good idea. I may (eventually) implement something like that myself, once I get my client “spring-cleanings” out of the way….

    Thread Starter shacker

    (@shacker)

    Hmm… Yes, I did put an index.html in the top-level plugins directory, but should propagate that to all of the plugin subdirs. Adding a redirect would really do the trick, for all but the most determined accesses. Seems like an apache allow/deny block would be ideal. Anyone have the syntax for that handy?

    Wouldn’t it be enough to chmod (I think that’s the name, I really don’t use linux much ^_^) the directory? When I try to go to my plugins folder directly from the web, I get a 403 error.

    Well, mine are all set 755, and I can still see the directory listings….

    Nebelmond – a 403 is good. It means the host has set the server so a directory without an index cannot be viewed. You can leave it alone ??

    yeap, and you can set that up yourself simply by adding:

    Options All -Indexes

    …to your .htaccess

    Thread Starter shacker

    (@shacker)

    whooami – Bingo, that did the trick, thanks.

    Seems like an .htaccess containing this should be part of the basic WP distro. If that’s not possible, then this could be part of the intro documentation.

    It is easier to add at one place, as Whooami suggested Options All -Indexes, rather going to many places.

    But still it depends upon ‘how would one like to implement?’ As both are nice tricks.

    Is it possible to get the 403 error page to redirect to somewhere else either a more pretty 403 error page or maybe the blog home page? Maybe with a plugin or more code in the .htaccess?

Viewing 14 replies - 1 through 14 (of 14 total)
  • The topic ‘Hiding the plugins directory from public’ is closed to new replies.