Support » Fixing WordPress » Admin folders browsable

  • When looking into some vague problems I noticed that when you watch the source of my website you can just click on the link to a file in any of the admin folders. I thought these were blocked by default?

    I had a very ‘contaminated’ htaccess, so a while ago I cleaned it up. Did I remove too much perhaps?

Viewing 4 replies - 1 through 4 (of 4 total)
  • No files are blocked by default.
    You might add rules saying that if no “logged-in-cookie” was presented then you respond with 403 forbidden for all admin files, but I’m not sure if that might have any weird side-effects. You might add a lot of other rules. There are several security plugins that can add a lot of stuff in .htaccess to harden your site.
    Depending on you server’s configuration, some of these smart rules might break your site, so when you start playing, make sure to have a good back-up and that you know your way around ftp.

    However, most PHP-files are written in such a way that if they’re called directly, rather than as a part of WordPress handling a correct request, they’ll immediately “die”.

    Hm okay. Perhaps I mixed up direct access with actually browsing the folders.

    Regarding browsing the folders, you may simply add the following line in .htaccess:
    Options -Indexes

    It took a while before I was behind at home and behind a PC, but adding that line gives, for example, a /wp-admin address an error, while without the line, WP reverts to the login screen. There’s something to say about both, but the line doesn’t prevent opening some file that is, for example, visible in the source. Not that much can happen, but it’s a bit odd.

    Maybe a storm in a glass of water, I just thought to remember that WP never allowed direct access to any files in the admin folders.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Admin folders browsable’ is closed to new replies.