May
14
2009

WordPress Security – Urgent Update for Blog Owners

WordPress Blog Security “Hole”
And a Step by Step Guide to Fixing It

Pre-Story: during one of the brainstorm meetings inside Free Traffic System team one of its members mentioned a problem about blog security that we used to experience about a year ago with some of our own blogs. And this is when it stunned us – “what if our bloggers…” – we rushed to check how many blog owners who submitted their blogs to the system know about this security hole and the test results were shocking!

Only 1 Out of 10 Blog Owners…

… from Free Traffic System was protected against the mentioned security hole. The rest 9 were naturally naked!! And we decided it makes no point to do further checks; we need to explain to our users how to fix this security problem.

IMPORTANT: we want you to clearly understand that this security hole is just one of the wholes that your blog can have, we do not pretent to say that the guide which will be published below gonna save you from all problems. If you are looking for a more professional and automatic solution to improving your WordPress blog security – we recommend using this script (it is a multi site license).

Step 1. How to Check if Your Blog has this Security Hole

Type into the browser the following URL http://www.your-blog-name.com/wp-content/plugins and if you see a simple page which lists all your plugins – congratulations! You have a problem. Luckily there is a way to fix it quite easily without being a tech geek.

So, if you see something like this…

Then it means that anyone can download all your plugins (for which you paid money) – your folder is empty – this is a playground for a hack-minded person.

Step 2. How to Fix this Hole

To fix that issue and stop your blog from being naked, you need to do what is called “turn off the directory browsing” and this is a very easy thing to do.

You get into your CPanel account (where this blog is hosted) and look for an icon called Index Manager. This icon should look like this in the section Advanced Settings:

Then you click on this icon and get to the page which lists all folders on the blog and choose the folder which you wish to protect from directory browsing. You need to click on /public_html/ folder, like it is shown on the screenshot below…

Once you have done it, you are on the page of settings. You should choose No Indexing from these settings. Like this…

Done! Now the folders and files  inside your public_html are protected from stealing the files from them.

Once again, if you need a more advanced protection from hackerscheck out this script – it uses a very smart idea to keeping the hackers away from your blogs. The hackers always look for the places of lesser resistance. If you see that you are protected, it is easier for them to find another prey rather than trying to break into your blog.

And – what is also important – the seller of this script officially confirms the following:

We confirm that with normal use our script will not interfere or conflict with the control and functions of the Free Traffic System program

Be smart. Be safe. Be successful.

Tags: , , , , ,
36 Responses to “WordPress Security – Urgent Update for Blog Owners”

  1. Get on Google page one said on May 14th, 2009 9:16 am

    There is another simple solution too.

    When you upload your plugins, also upload an index.html file to that same plugin folder.

    The index.html page can be blank or you can add some redirect code to send visitors back to your home page or elsewhere.

    Or you can upload a php redirect file. Just add the following 3 lines (nothing else) to a text file and name it index.php

    [?php
    Header("Location:http://domain.com");
    ?]

    Replace the [ and ] with or it wont work. Had to do that to display the code here.

    You can change the URL, of course.

    By adding a file like this into the plugins folder on my computer, the upload process is simple. When I upload my favorite plugins, the index page goes too.

    Cheers,
    Gary Harvey
    http://GetOnGooglePageOne.com

  2. Claire said on May 14th, 2009 9:29 am

    thanks alot, i did the check and there it all was so i made the change.
    It was very simple and fast to do and i had never heard of doing it.
    Thanks Claire

  3. Cyber said on May 14th, 2009 9:30 am

    Very important info, thanks

  4. blogging tips said on May 14th, 2009 9:30 am

    simple but really good tactic. also nice idea is t osimply put there index.html file that blocks browsing

  5. flat house share said on May 14th, 2009 9:45 am

    wow I had no idea thanks for the info on this guys :-)

  6. Phlunk3 said on May 14th, 2009 10:12 am

    Another reason to not use software you don’t understand :P

  7. June said on May 14th, 2009 10:42 am

    Great tip. Thanks. I made the change. Thanks to Gary Harvey also. The ‘no indexing’ doesn’t block the search engines from indexing other pages does it?

  8. Kawasaki Motorcycle said on May 14th, 2009 10:45 am

    thiis nice for protection my blog from hecking, thanks
    adviser

  9. Steve1943 said on May 14th, 2009 10:48 am

    Sure enough there was a list of my plug-ins, including some I paid for.

    But I can’t figure how a thief could use the list. I tried a few, but was unable to find a way to download any of them (FTP access, is password protected).

    Attempting to read or download them with my browser results in Apache invoking them to run – whereupon they promptly crash for lack of the parameters, data or return address links that would normally be supplied by the WP routine calling them.

    What am I missing here?

    Steve

  10. Terry Didcott said on May 14th, 2009 11:06 am

    Um, I think you’ll find that if you check the “No Indexing” button, that will ALLOW the files in the index to be displayed.

    You actually need to check either the “Standard Indexing” to hide folders with no images or “Fancy Indexing” to hide folders that contain images.

    Yeah I know, confusing, but that’s the way it is!

  11. Admin said on May 14th, 2009 11:20 am

    This is an answer to 2 replies.

    To Steve1943

    Not necessarily, I was doing the tests and downloaded the files. So it really depends.

    To Terry Didcott

    I did No Indexing and it worked. Try Free Traffic System blog for example.

  12. Jay said on May 14th, 2009 11:34 am

    At the end of my htacces file I use:

    Options -Indexes

    and that works as well to block out the page. It will give a 404 Not Found error if they try to look at your plugins folder.

  13. Bill Masson said on May 14th, 2009 12:04 pm

    Thanks for the tip, I did check before i implemented your suggestion and sure enough i was able to download any plugin that i wished. I must mention however that all of my plugins are freely available from wp.org

    Thanks guys

  14. CD Rates said on May 14th, 2009 1:52 pm

    I like the index.php solution. I also could not download the plug-ins when viewing, but having the folder redirect to the main page looks better than a directory dump anyway.

    cd :O)

  15. work from home internet job said on May 14th, 2009 4:39 pm

    Seems a little confusing with all the responses. Can somebody point out a crisp and clear information?

    Lian Vaiphei

  16. Home Remedies said on May 14th, 2009 5:07 pm

    Thanks, I changed my blogs now. I did not know about that before… Thank you.

  17. 3dogs said on May 14th, 2009 5:22 pm

    Fortunately, my host already has the WP security holes plugged.

    I suppose, however, the same is true of the wp-content/themes directory? Especially important if you’ve paid for a theme or two.

    It’s really too bad hackers and spammers seem to think that it’s OK for them to “cheat” others out of their hard earned money. But, such is the entitlement mindset

  18. Richard Durkee said on May 14th, 2009 5:26 pm

    Great tip, thanks. I was lucky, it came up as page not found.

    Richie

  19. Jesus Moreno said on May 14th, 2009 6:14 pm

    I had 2 WP blogs in the past. I haven’t another one right now, only a blogspot blog. I’m setting up a new WP blog to be uploaded soon. I’ll be very aware of the breach you are posting about. Gary Harvey’s post is also very enlightening because he is a known internet marketer and he must have very wide expertise in web design. Thanks.

    Jesus M.

  20. fas said on May 14th, 2009 7:27 pm

    Superb stuff there. I checked out a few A-list bloggers who have not cured this mistake.

  21. ALL X CLUB said on May 14th, 2009 11:09 pm

    Thanks man… forgot about that… I hope it doesn’t affect my google rankings :)

  22. joanne said on May 15th, 2009 12:09 am

    Gee, I didn’t know about this,thanks for the advice!

  23. Admin said on May 15th, 2009 8:54 am

    Answer to Lian Vaiphei

    We recommend using what we wrote. Other suggestions are options and we ar happy our users share the best of their experience.

    It is absolutely up to you what you choose, but we published our solution in the post.

  24. InfoMagz said on May 16th, 2009 1:47 am

    I usually use the index.php solution to all my blogs and it normally shows a blank page on the screen when browsed.

    I’ll check the fix presented by admin here and see if my web host supports it.

  25. Free website builder said on May 16th, 2009 7:41 pm

    Thank you very much for these suggestion. These are very useful steps for protecting your blog.

    Signup for your free website builder account

  26. Jackie Tulos said on May 17th, 2009 12:50 am

    Thanks. Sure enough I had the hole in my site. All fixed now. Your instructions were very easy to follow.

  27. Sascha Pallenberg said on May 17th, 2009 7:25 pm

    This has nothing to do with wordpress but with your webserver. This is not a wordpress security hole!

  28. Admin said on May 20th, 2009 8:26 pm

    Yep, this is a server thing. Otherwise we would not suggest the fixing of server settings as a solution.

  29. Movies To Download For Free said on May 23rd, 2009 5:15 pm

    Thank you! I have a bunch of WP blogs and they ALL had this problem. Whew! You guys rock.

  30. Michael Claggett said on June 7th, 2009 5:39 pm

    Do you have specific requirements for plug-ins or SEO in WP for a blog to quality to add to your system?

    Do blogs contributed to your system have to be accessible through the root domain or can they be in a directory?

  31. JNFerree said on June 20th, 2009 12:08 am

    Glad to see you guys are “cracker” sensitive! My WP blog got whacked by a savvy (nasty) cyber cracker a few months ago which cost me a few hundred hours to stop the bleeding. This easy fix gave me some comfort on whether to open the back door to FTS on an ongoing basis.

    Were you guys aware your Vids or no mas on Vimeo?

    Please advise when your new vids are avail via YT or Viddler or where ever?

    Peace

    Neil

  32. Lake of the Ozarks said on July 12th, 2009 8:19 pm

    After having my wordpress blog hacked and having to rebuild I found this post a great help. Thanks!

  33. johnny said on August 7th, 2009 7:20 am

    Hello. Thank you for this great info! Keep up the good job!

  34. Wii Bundles said on August 7th, 2009 8:23 am

    Really helpful tip. Thanks for that.
    It’s amazing how much there is to learn. I must spend more time looking at cpanel and figuring out some of the options.

  35. Neil Ferree said on October 31st, 2009 11:30 pm

    Not only is FTS a great service, its pretty obvious the user community are pretty up to snuff in the “how to” area. This was one helpful tip. Much appreciated. I suspect that pretty soon a more real-time feed on these types of tips will be live on my screen now that I have my gWave up and running.

    Would like to hear from other FTS users who are in possession of an active gWave account / profile so share tips & tricks.

    - Neil

  36. Spyware Blockers said on November 12th, 2009 7:13 pm

    I have been reading your posts lately, just want to say thanks for all informative stuff i have found here, helped me learn alot lately.

    Much Regards, Mark