Here is a video covering everything I have written below, just in case you rather see it done instead of just reading about it:
A few days ago I found out that my WordPress site had a major security issue that could allow hackers access to my site. This ‘problem’ is not just on WordPress sites but on any site hosted with an Apache server.
This has to do with something called Directory Browsing.
By default when someone goes to your website and their browser can’t find the index.html or index.php file, it automatically displays an index page showing the contents of the directory.
This allows people access to folders like your Uploads folder where anything you add to your Media Library is stored.
Do you sell products from your WordPress site that are stored in your Media Library? That is not a great idea in the first place but if you do, people are able to bypass your payment buttons and go directly to those zip files or images, or PDFs and download them directly form your Uploads folder.
In addition to people being able to just steal anything you have in your uploads folder, they can see what files you have (for example in your wp-includes folder/directory) and possibly exploit some flaw in one of those files and gain backdoor access to your site.
The fix is simple – just add a blank index.html file to every folder/directory on your server.
Yes that would fix the problem but if you have several WordPress sites, each having several folders/directories, then you will be busy doing this for quite some time.
Here is the simple(er) fix.
Add this to your root directory .htaccess file
Notice the space after ‘Options’ and before the ‘-Indexes’
But what if you have 50 or 100 WordPress site. That means you have to add this to 50 to 100 different .htaccess files.
The easiest of all, (and yes I should have opened with this) is to contact your Web Hosting service and have them add it to the Apace Configuration.
If you have access to WHM (Web Host Manager) then you can do it yourself.
Go to Apache Configuration then Global Configuration then midway down the page un-tick the 2 boxes shown in the image in the section Directory/Options. Click Save at the bottom of the page.
So test your sites vulnerability by entering the url to your uploads folder in your browser and see if your files are exposed – yourdomain.com/wp-content/uploads
If so, then use one of these methods to plug that security hole.
If you are not sure about any of this, please contact your web hosting service for more details.
Please let me know if you have any questions, comments or suggestions for me by posting them in the comments section below