Jul 04

Your Wordpress Blog Is Under The Eye Of Spy!

Wordpress, Blog  |  Wednesday, July 4th, 2007 Add comments

Do you self-hosted Wordpress blogs? Do you know that there are some security loopholes in your Wordpress blogs? If your answers are ‘yes’ to both questions, then you should continue to read on. I’m not trying to make it sounds like huge security risk. I just think that you should be aware of it and take appropriate actions if you would like to.

Click on this link to search from Google, then you’ll see that so many people’s Wordpress plugin folders are opened for public browsing! Surprised? I performed this search and noticed that a few of my Wordpress plugin folders were indexed by Google. It alarmed me a little since I do not want those plugin folders to be indexed and I consider that too risky.

Why Is This Risky Or Dangerous?

When an exploit is found, people can easily use Google to find who is running what plugin and exploit your server. I believe most of the plugins in the market have not been gone over very well for security. I suspect there are many out there that allow remote shell and various database exploits but just have not been uncovered yet.

What Is The Solution?

Who is at fault for this? I think most of the time, we should not blame other people for not making the plugin or software risk-free. Instead, we should do our job to avoid those security issues. There are 2 parts:-

#1 Disable Public Browsing of Folders

Before you start applying the change, you can verify that whether your folders are allowed public browsing. You can type in the this URL in your browser:-

http://www.YourDomainName.com/wp-content/plugins/

Browse Folder

If you can see the above result, then you need to modify the “. htaccess” file in your Wordpress root folder by adding the following line. If you don’t have the file, create and upload it to your Wordpress root.

Options All -Indexes

After you make the change and apply to your server, you should see the immediate affect.

#2 Disable Search Engine Indexing

Here is the command to check whether your plugin folders are indexed in the search engine. You can type it in the Google search box. Make sure you change the domain name in the command.

intitle:Index of site:YouDomainName.com

The solution is to create or modify “robots.txt” file in your Wordpress root folder and add in the following lines. This is to prevent search engine to index the files and pages inside those folders.

User-Agent: *
Disallow: /wp-admin/
Disallow: /wp-content/
Disallow: /wp-includes/

It’s not an immediate effect. It may take a few days for search engine crawler to craw your website or blog again. So be patient and check the search engine again.

Final Thought

This is not a major security flaw of Wordpress. But I think you should take necessary actions to avoid potential security issue in order to protect your blogs. All of the blog owners and website owners have the responsibility to create a risk-free environment. It’s not just the job of a programmer or developer.

Any comments you would like to share with us?

Popularity: 95%

Share and Enjoy:
  • Digg
  • del.icio.us
  • Wists
  • blinkbits
  • BlinkList
  • blogmarks
  • Fark
  • Furl
  • PlugIM
  • Slashdot
  • SphereIt
  • Technorati
    • Email to Share:
    Email This Post
    Rating:
    1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
    Loading ... Loading ...

    This post is password protected. Enter the password to view comments.

    WP Theme & Icons by N.Design Studio | Powered by WordPress | Sitemap
    Entries RSS Join/Login

    Best9Hosting.com © 2007. All rights reserved.
    Optimized by SEO Entrepreneur