Wordpress Security Tip 1: Using .htaccess for protecting directory information

Why do you want to hide your directory listing? 

Allowing a Directory listing to be displayed discloses valuable or sensitive information about your site.  Usually, hackers in their Reconnaissance stage try to gain valuable information about your site, and by allowing the viewing of the directory structure, you reveal to them intimate knowledge of your site, such as the plug-ins, themes & naming conventions used, and offer them a rough assessment of your security due diligence.  While the mere knowledge of the sensitive or confidential files you have in your site may cause great loss to you on their own, this information in the hands of a hacker may be used to cause even greater harm your site. 

What can be done to prevent directory listings?

The .htaccess file gives a one-shot method of denying access to the directory list, but this method ends up generating an html 404 Error if the default file is not in the directory… Is this a problem?  Only aesthetically, since the only directories that will ever need 'protection' are those that do not have a default file in the first place.  Anyway, read on and you will learn how to make a small tweak to do this in a much cleaner way, while generating additional page views for your site.

Step 1: Prevent directory browsing with .htaccess

After this line in your .htaccess file,

<IfModule mod_rewrite.c>

Add the following: 

Options All -Indexes

And that's it… Try browsing to a directory that does not have an index.html or other default file and you should get the following:

Forbidden

You don't have permission to access <your_directory> on this server.

So far so good. 

Step 2: Redirect Blocked Directory Listings to a Specific Page

There is actually a cleaner way to handle this, while generating additional page views.  Most Wordpress themes come standard with a "404 Template" page, which accepts HTTP requests that have generated an HTTP 400 Class Error.

So simply add the following after the "Options All -Indexes" line above:

ErrorDocument 403 /forbidden.html

Now, try refreshing the directory request above that generated the "Forbidden" Error page.  It should automatically redirect you to a "Not found" page that matches your site theme.

Is this better than adding index.html pages to every directory?

For most installations, YES!

My previous post, as well as, others' posts have recommended the placing of index.html files in every directory for preventing directory browsing.  But this can become very cumbersome to manage, considering the vast number of directories that are spawned in a typical install.  Every new plugin, widget, or theme creates new directories that may or may not have a default file in them.  

In addition, if you try adding an index.html to a page that already has a live and working index.php or index.htm file, that page will be replaced by the contents of this new index.html file, which is usually blank.  On a test install, simply add a blank index.html file to your blog root.  Poof…Your Homepage just Vanished! 

This is because index.html was the default file that the original web servers looked for when deciding whether to display the directory listing or a single page that acted as the content file for that directory.  So even today, most web servers look for an index.html file FIRST, before looking for an index.php or index.htm file.  Some web servers (nearly every Microsoft IIS Server) look for a default.htm file first, by default.

This behavior can be changed with most UNIX-based or Apache web servers with the following .htaccess directive:

DirectoryIndex index.php index.html index.htm default.htm

However, for most Wordpress installs, these 'default' files do not usually store content and are only used for hiding directory structures, and Steps 1 and 2 above should be sufficient.

Summary 

You easily increase the security of your site by simply including the following 2 directives to your .htaccess file:

  1. Options All -Indexes
  2. ErrorDocument 403 /forbidden.html

These and other .htaccess directives can be found at:

Banner Ad

This entry was written by Ram and posted on August 26, 2007 at 5:13 pm and filed under UNIX, Uncategorized, Wordpress Security. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.
Google
 

2 Comments

  1. PreBlogging
    Posted August 27, 2007 at 4:01 am | Permalink

    Thanks for the link back :D I had considered those other methods that you mentioned here, but I did think that they were a bit too technical for your average blogger.

  2. Ram
    Posted August 27, 2007 at 1:41 pm | Permalink

    I had the same idea initially. That’s why I didn’t recommend mucking with the .htaccess file in the “First 5 steps..” post.

    Thanks for taking a look! :)

Post a Comment

You must be logged in to post a comment.