WordPress.org

Forums

Hiding the plugins directory from public (15 posts)

  1. shacker
    Member
    Posted 9 years ago #

    I noticed a lot of accesses to wp-content/plugins in my apache logs, and sure enough, this directory is browsable to the world.

    Is this a security problem? It doesn't exactly make me feel warm and cozy.

    Putting a .htaccess here is going to confuse a lot of plugins, I expect.

    I protected it sort of by placing an index.html file in that dir, but that won't prevent direct access to plugins for people who know the path.

    What's the right solution?

    Thanks.

  2. Samuel B
    moderator
    Posted 9 years ago #

    You're probably just seeing the traffic - if plugins are used on your site, they are called when someone uses your site/feature.
    Only a logged in admin can see the actual plugins in admin. Everyone else is redirected to the login/subscribe page.

  3. moshu
    Member
    Posted 9 years ago #

    Only a logged in admin can see the actual plugins in admin

    While that's true, the OP's concern is this:
    http://comeuphither.com/blog/wp-content/plugins/

  4. Samuel B
    moderator
    Posted 9 years ago #

    Ahh - I see - thanks Moshu.
    I provide a much easier link on my site, though. :>)
    http://www.comeuphither.com/plugins

  5. vkaryl
    Member
    Posted 9 years ago #

    Can't you stop this by using an index.php file in there with whatever you choose to use for a message?

    And in fact, I just tried it, it works fine.... I think from remembering another program I use, you can do this with "order allow, deny from all" in htaccess as well (but I'm better with php files....)

  6. lunabyte
    Member
    Posted 9 years ago #

    Why not just put a default index.php page in any directory you don't want someone to be able to browse?

    In that page, put a header redirect back to your main entrance page?

    Then, when someone tries to browse a directory, they instead are directed to your main site? For a single site, all you have to do is make 1 page, then upload it wherever you want to use it.

    Of course, don't upload it where you don't need it, and overwirte an existing index page. For example, uploading a redirect page like this by accident to say... your root publich html directory would be bad. But, when used in directories where an index page doesn't exist by default, works out great.

  7. vkaryl
    Member
    Posted 9 years ago #

    Yup, that's a good idea. I may (eventually) implement something like that myself, once I get my client "spring-cleanings" out of the way....

  8. shacker
    Member
    Posted 9 years ago #

    Hmm... Yes, I did put an index.html in the top-level plugins directory, but should propagate that to all of the plugin subdirs. Adding a redirect would really do the trick, for all but the most determined accesses. Seems like an apache allow/deny block would be ideal. Anyone have the syntax for that handy?

  9. Nebelmond
    Member
    Posted 9 years ago #

    Wouldn't it be enough to chmod (I think that's the name, I really don't use linux much ^_^) the directory? When I try to go to my plugins folder directly from the web, I get a 403 error.

  10. vkaryl
    Member
    Posted 9 years ago #

    Well, mine are all set 755, and I can still see the directory listings....

  11. Mark (podz)
    Support Maven
    Posted 9 years ago #

    Nebelmond - a 403 is good. It means the host has set the server so a directory without an index cannot be viewed. You can leave it alone :)

  12. whooami
    Member
    Posted 9 years ago #

    yeap, and you can set that up yourself simply by adding:

    Options All -Indexes

    ...to your .htaccess

  13. shacker
    Member
    Posted 9 years ago #

    whooami - Bingo, that did the trick, thanks.

    Seems like an .htaccess containing this should be part of the basic WP distro. If that's not possible, then this could be part of the intro documentation.

  14. Rok
    Member
    Posted 9 years ago #

    It is easier to add at one place, as Whooami suggested Options All -Indexes, rather going to many places.

    But still it depends upon 'how would one like to implement?' As both are nice tricks.

  15. Jeff
    Member
    Posted 8 years ago #

    Is it possible to get the 403 error page to redirect to somewhere else either a more pretty 403 error page or maybe the blog home page? Maybe with a plugin or more code in the .htaccess?

Topic Closed

This topic has been closed to new replies.

About this Topic