Tony Hung over on Deep Jive has an important post on securing your WordPress plugins directory. As it stands out of the box, the plugins directory is not protected and can easily be directory browsed. Considering you could be running an insecure plugin, having the directory open to browsing is not a great idea.
Luckily the fix is simple and only requires the addition of an index.html file in the folder.
Better safe than sorry…
Twitter
http://twitter.com/fuzzz
Foursquare
http://foursquare.com/user/fuzzz
Yelp
http://fuzzz.yelp.ca/
Flickr
http://www.flickr.com/photos/fuzzz/
Vimeo
http://vimeo.com/fuzzz/likes
Lastfm
http://www.last.fm/user/fuzzzblog
Linkedin
http://ca.linkedin.com/in/andregaulin
Facebook
http://www.facebook.com/andregaulin
Shared on Google Reader
That’s a decent sized hole in WP! I uploaded an index.html but that doesn’t help if you know the name of the files for the plugin. For example, if you know a specific plugin has a file foobar.php, you can just browse to /wp-content/plugins/foobar.php and you’ll quickly know if they have that plugin or not.
Good point. I tend to think the core WordPress app is fairly secure and has a good track record of fixing holes. Plugins are always a little scary since anyone can write one and there is no requirement for good security practices.
Thanks for the tip, done and done.
Same here, done! thanks for posting this…