Website Security Problem Solved

Here is a video covering everything I have written below, just in case you rather see it done instead of just reading about it:

A few days ago I found out that my WordPress site had a major security issue that could allow hackers access to my site. This ‘problem’ is not just on WordPress sites but on any site hosted with an Apache server.

This has to do with something called Directory Browsing.

By default when someone goes to your website and their browser can’t find the index.html or index.php file, it automatically displays an index page showing the contents of the directory.

plr video direct example of directory browsing image

This allows people access to folders like your Uploads folder where anything you add to your Media Library is stored.

Do you sell products from your WordPress site that are stored in your Media Library? That is not a great idea in the first place but if you do, people are able to bypass your payment buttons and go directly to those zip files or images, or PDFs and download them directly form your Uploads folder.

Not cool!

In addition to people being able to just steal anything you have in your uploads folder, they can see what files you have (for example in your wp-includes folder/directory) and possibly exploit some flaw in one of those files and gain backdoor access to your site.

The fix is simple – just add a blank index.html file to every folder/directory on your server.

Just kidding.

Yes that would fix the problem but if you have several WordPress sites, each having several folders/directories, then you will be busy doing this for quite some time.

Here is the simple(er) fix.

Add this to your root directory .htaccess file plr video direct dot htaccess file image

Options -Indexes

Notice the space after ‘Options’ and before the ‘-Indexes’

But what if you have 50 or 100 WordPress site. That means you have to add this to 50 to 100 different .htaccess files.

The easiest of all, (and yes I should have opened with this) is to contact your Web Hosting service and have them add it to the Apace Configuration.

If you have access to WHM (Web Host Manager) then you can do it yourself.

plr video direct example of disabling directory browsing Go to Apache Configuration then Global Configuration then midway down the page un-tick the 2 boxes shown in the image in the section Directory/Options. Click Save at the bottom of the page.

So test your sites vulnerability by entering the url to your uploads folder in your browser and see if your files are exposed – yourdomain.com/wp-content/uploads

If so, then use one of these methods to plug that security hole.

If you are not sure about any of this, please contact your web hosting service for more details.

Please let me know if you have any questions, comments or suggestions for me by posting them in the comments section below

 

4 thoughts on “Website Security Problem Solved

  1. Judy Kettenhofen

    I’m sure you mean Apache configuration … 🙂
    Actually, if you have a cPanel webhosting account you can do the same thing and protect all folders on your account via the “index manager” (under “advanced”) — might be able to do so with the
    “apache handlers” section … but — while I’ve set up Apache tons of times … it’s been a while … and it was always on a dedicated server. Not quite how it works on shared hosting.
    …also the error pages section in “advanced” is worth checking out …

    On one of my hosting accounts, I see they have “mod_security” under “security” … which isn’t something I’ve seen possible before on a shared hosting account.

    Hope that helps, Steve!

    Judy

    Reply
    1. SteveD

      Hi Judy & thanks for stopping by and letting me know about the index manager in the Advanced section in cPanel. Which radio button do we check to prevent the directory browsing?
      which radio button to check for preventing directory browsing

      Yes the one method I detail on disabling directory browsing in WHM is with Apache configuration. I mention that about mid-way into the post.
      When you get a minute Judy, can you post a reply to which radio button to check in the cPanels index manager?

      Thanks again for posting your comment – talk to you soon.

      – Steve D.

      Reply
      1. Peter Sandorf

        Thanks for your post, Steve,
        and that you will take up this kind of security.
        You choose "No Indexing." For protecting you this way.
        There is also a different and perhaps more secure way, at least as it covers a larger area. It is CloudFlare!

        It's free to join and the service it provides is far enough for most people.
        You can join (for free) directly from their site. But there is (now) a supplementary service in cPanel to manage this.
        And this is (of course) much easier, faster and more efficiently.

        But I also believe that it works smoothly and more compatible with your web hoster this way.
        I remember once when I had a site protected on CloudFlare and had to install a service that required CNAME I think it was.
        But then it didn’t found the site because some conflict that arose with the hosting company.
        Hope it helps a little
        Kindly,
        Peter

        Reply
        1. SteveD

          Hi Peter and thank you for your reply.

          Yes CloudFlare is a powerful security tool as well as helping you speed the load time of your site – which makes Google happy 🙂

          And you are correct, they offer a free option which is a price we all can afford.

          Unfortunately I do not think that using CloudFlare puts a stop to the Directory Browsing issue that this post covers.

          Whether CloudFlare does or doesn’t stop the Directory Browsing issue, it is a solid security tool for a lot of reasons – and a free way to get SSL on your domain.

          Thanks again for checking out my post Peter.

Leave a Reply

Your email address will not be published. Required fields are marked *