Plugin Files Are Visible

  • Hello, I did a Google search and searched the forums here but I still cant seem to find an answer. I installed WordPress Maps And Who’s Online plugin and I noticed someone was viewing a URL that I thought wasn’t supposed to be viewable. It was a URL to a plugin file. After that I tried looking at my theme files and plugin files from a browser where I was logged out and I couldn’t get any of the theme files to show but I could get all of the plugin files to show. The PHP FILES!! Now correct me if I’m wrong but isn’t that a security threat? Note: I checked permissions on both theme files and plugin files and they are identical- 755 for folders and 644 for files. Are these plugin files supposed to be viewable?

Viewing 15 replies - 1 through 15 (of 15 total)

  • I had the same concerns a couple of years back about php files in general. And was assured, then verified for myself on several different hosting companies/packages, that THE CONTENTS OF php files should NEVER be visible. You will, however, sometimes see a directory listing created by a browser that includes .php files in the contents of the directory.

    Bottom line, as it was explained to me back then: if any .php file is visible with a browser, either directly or by View Source, then contact your hosting provider. As they have some settings set incorrectly. In Apache, as I understand it.

    Thread Starter hello

    (@txnitro)

    @adiant

    Thanks for the response, I didn’t mean that the php content was visable, just the files in general. For instance, I can view a form on one of the files and I can actually submit it. This is a plugin file! The form should only be submittable from the back end. This particular plugin was not even enabled. Anyways, what I’m trying to say is if one of those plugins does not validate the user correctly who is able to submitt some of these forms, it can get real ugly!

    I had not noticed previously — i.e. – I never looked — but I am in exactly the same situation that you are. So, this is not an Apache or web hosting issue, but an issue with the plug-in per se.

    Coincidentally, I am planning to address a similar problem for my business partner who doesn’t want people to see the contents of his .jpg-only folders. My plan was to put a blank index.php or index.html in each of these folders that would normally display their contents when you type a URL with just the folder name.

    Admittedly, I haven’t tested this concept yet.

    Unfortunately, this is a “closing the barn door after the horse is gone” approach, as Google may have already indexed those individual files in the folders.

    Thread Starter hello

    (@txnitro)

    Well, make sure you add: Disallow: /wp-* to your robots.txt file so search engines wont index any files beyond the wp folders. Legit search engines anyways! Another thing I recommend is adding: Options All -Indexes to the .htaccess file in the root directory. That way you don’t see the directory listing you were talking about for the main plugins folder or images folder, but it still doesn’t prevent them from entering an URL directly to a php file or image file beyond that folder! For instance, If some one looks at my site, they will automatically know that I have google ajax translate enabled. So if they know about this possibility, they can go directly to any file they know is there! and if the plugin is not coded right, they can do some damage!

    Thanks for that! Much appreciated.

    Thread Starter hello

    (@txnitro)

    The thing im trying to figure out is why my theme files will not show with a direct url entered and my plugin files do, given that they have the same permissions. I might have to contact my hosting for this! Is any one else out there having this same problem? It’s worth to check. I never noticed or bothered to look before last night (thought they were un-viewable for sure) until I saw on the WordPress Maps And Who’s Online plugin that someone was viewing a direct URL to a plugin file!

    In my case, wp-content/themes/twentyten/images/headers/ is visible, but wp-content/themes/twentyten is not. The latter has an index.php. The former does not.

    Entering wp-content/themes/twentyten as a URL does give you an error though: “Fatal error: Call to undefined function get_header() in /home/adiant/public_html/wp/wp-content/themes/twentyten/index.php on line 16” indicating the index.php file is executed.

    Thread Starter hello

    (@txnitro)

    Did you put: Options All -Indexes
    in the .htaccess file for the root directory?

    It shouldn’t show any file listing for any folder with that code.

    I’m using a custom theme that I created and I just checked a direct url to an image and it is showing, but the direct url’s to my main files (php) do not show anything. They redirect with an error. Which is good, but thats just my theme folder, I’m still seeing all of the php files for plugins when I enter a direct url to them.

    No, I hadn’t added it. Now that I have, wp-content/themes/twentyten/images/headers/ gives a 404. Also, now wp-content/plugins/akismet/ gives a 404.

    Which is different from what you are experiencing. First thing I would look for is an .htaccess file in one of the subfolders that leads to your theme. As it could conceivably override the root .htaccess

    Of course, it would also be a good idea to check the root .htaccess to be sure it doesn’t have something weird in it. The standard is:

    # BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

    Thread Starter hello

    (@txnitro)

    Yes I have exactly what you got on my htaccess. Try a url to a file in particular, not the folder. That code redirects with 404 error for folders. Try url directly pointing to a particular file in the plugins folder ex.wp-content/plugins/akismet/index.php (not sure if that’s an actual file) didn’t want to put it out there, and try direct url to ex. wp-content/themes/twentyten/images/headers/image.jpg (again, not sure if this is actual file). Let me know what you get. Thanks

    Both wp-content/plugins/akismet/akismet.gif and wp-content/themes/twentyten/images/wordpress.png display the correct graphic when I directly enter their URL into my browser.

    I don’t see any difference between plug-in and theme folder behaviour.

    The reason one can see files in plugin folder is because each folder should have index file and just checked akismet folder and there is no index file.
    like wp-content has blank index.php so does plugins folder but each plugin may not have one.

    So question arise is that if we put index.php file in plugins will that break the plugin.

    I put one in akismet to test it out and I do not see the files like I did gives blank page as there is blank index.php file in folder.

    Thread Starter hello

    (@txnitro)

    What if you try theme folder url to a direct php file. ex. wp-content/themes/twentyten/index.php ?

    Mine wont show from theme folder. But direct php url to plugins folder will!

    Thread Starter hello

    (@txnitro)

    @govpatel

    With the htaccess code above, you get rid of the need to put blank html file. The thing is, and even if there is a blank html file there, you can still see files when you enter a direct url to it. php files!

    How is it about this topic? There is no answer yet and I am also very interested how this is done.

Viewing 15 replies - 1 through 15 (of 15 total)
  • The topic ‘Plugin Files Are Visible’ is closed to new replies.