Support » Plugins » Security vulnerabilities

  • Security Metrics scan failed with high risk vulnerability as error message below:

    Security vulnerabilities

    Protocol: TCP

    Port: 80

    Program: http

    Description: web server autoindex enabled Severity: Potential Problem CVE: CVE-1999-0569 Impact: A remote attacker could view the directory structure on the web server. Resolution Ensure that autoindexing is not enabled on the web server. On Apache web servers, this can be done with the following directive in the configuration file: Options -Indexes Vulnerability Details: Service: http Index of /storage

Viewing 5 replies - 1 through 5 (of 5 total)
  • Moderator Kathryn


    Automattic Happiness Engineer

    Not sure exactly what your question is, but turning off directory indexes is something unrelated to WordPress. You can usually do it somewhere in your web hosting control panel, or manually by adding this line to your .htaccess file:

    Options -Indexes

    Be very, very, careful if editing your .htaccess file manually as one little glitch can bork your site big time. Always make a backup of your current file first and use a plain-text editor, and be careful not to leave any blank lines at the top or bottom of your file.

    How to disable directory browsing using .htaccess – Apache Web Server

    Thanks for responding. This is the first answer I’ve gotten from several resources that is even remotely comprehensible.

    Moderator Kathryn


    Automattic Happiness Engineer

    Glad to hear it was somewhat comprehensible. 😉

    If you have any other questions don’t hesitate to ask.

    p.s. do you know what directory indexes are? It’s when the contents of a web server’s folder/directory are visible to the public as a list of files, i.e. at a URL like This is not great for security, so it’s normally a best practice to turn off directory indexing so someone trying to go to the above URL would get a message saying that access to that URL is forbidden.

    So anyway,
    My web host is Yahoo and they don’t allow .htaccess editing. I noticed in SecurityMetrics’s suggested resolution they used the word “storage” which happens to be the name of a folder where we archive our old newsletters for download. I took a chance and password protected that folder/index and re-ran the scan. That did the trick (I guess) cause the scan passed and I’m back in their good graces.
    Can’t tell you how much I appreciate a human being on the other side of a question who can/will actually help.
    May the sun shine brightly on your soul,

    Moderator Kathryn


    Automattic Happiness Engineer

    My pleasure!

    FYI for future reference, the other way to prevent directory indexes in a situation where you can’t edit the .htacess is to place a blank index.html file in each of the folders where there isn’t a default file (a default file can be named index.html, index.htm, index.php, default.php, or something similar, depending on the hosting setup). Of course doing this manually can be cumbersome if your site contains many folders missing a default file, which is why it’s normally a lot easier to turn it off site-wide. Here’s what Yahoo says on the matter:

    Best of luck.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Security vulnerabilities’ is closed to new replies.