2 Simple Steps to Hide WordPress Info and Better Secure Your Site.

26 Jan

Posted by Sherif as Plugins, Security | | Print This Post

Each wordpress version has it’s known vulnerabilities. It’s a good practice to show as little info about your site installation as possible.

You don’t want to make your site an easy target. right?

Well, ideally you should always upgrade to the latest version, but to be honest a lot of us put this at the end of their to do list and might never get it done.

David Kierznowski of blogsecurity.net lately released a simple plugin to hide your wordpress installation version number.

The no version plugin is a simple plugin that will replace the version number with blanks, so anyone doing a view “page source” from the browser on your site will not be able to see your wordpress version.

Click here to read more and download it.

Another tip is to disable directory browsing to your plugin directory.

To check it out do a http://yourdomain.com/wp-content/plugins ( where yourdomain.com the domain of your site) and hit enter.

If you see your plugins files, then you have a security issue.

Here is how to fix it:

Go to your plugin directory in your file manager, and create a . htaccess file if there is no one.

Add the following line:

# disable plugin directory browsing
Options -Indexes

Go back and TEST. You should be fine now.

If you need any help, don’t hesitate to contact me.

Popularity: 30% [?]

Last Related Posts

Easy Steps you Should Follow to Secure Your WordPress Site Update

Thank You!

Did You Make WordPress Security Part of Your Plan?

WordPress 2.3.3 has an ‘Urgent Security Update’

E-Book: Easy Steps You Should Follow to Secure Your WordPress Site

9 Responses

David

March 16th, 2008 at 9:49 am
1

I just placed an index.html in the plugin folder. What is the advantage of the .htaccess file you describe?

David’s last blog post..WordPress Backup
Sherif

March 16th, 2008 at 6:18 pm
2

Hi David

Thanks for asking.
Since some plugins can be vulnerable, and hence present a risk to your site, it’s advisable not to show what plugins you have.

Placing an index.html is a good idea too, but don’t leave your plugin directory without doing anything to it.
marc

July 24th, 2009 at 10:37 pm
3

hi, I’m trying to hide my wordpress directories as suggested here but they’re still showing!
i tried both ways by adding # disable plugin directory browsing
Options -Indexes on the .htaccess file
and i tried to add an index.html on the root and tried to put it in plug in and none is workin!. what am i doin wrong? email me back please
Sherif

July 25th, 2009 at 7:57 am
4

Thank Marc
I went to your site and couldn’t see your plugin directory. So I guess you figured it out.
If the options -Indexes is not working, you will need to check with your hosting about it. Since it is a webserver directive (command), you will need to check with your webhost if they have disabled it or they using a webserver that doesn’t support it.
Most web sites use Apache webserver which works with this command.
In this case you can go with creating a blank index.html in that directory, and it should take care of it.
Regards.
Sherif
sandra

September 10th, 2009 at 5:34 pm
5

Hi! I was surfing and found your blog post… nice! I love your blog. Cheers! Sandra. R.
Sherif

September 13th, 2009 at 7:11 am
6

Thanks!
PixelPete

December 29th, 2009 at 8:49 pm
7

Hello I read this article.
And tried this .htaccess on a wordpress mu site. And it worked!!

But I realized that visitors could also seeall files in the ‘themes’ folder by typing in the url http://www.anysite.com/wp-content/themes/

So I tried to create another .htaccess file for the themes directory like so:

# disable themes directory browsing
Options -Indexes

But this has caused a problem.
Now my theme graphics do not load at all, plus I get 404 errors on all subpages.

So I deleted the .htaccess file, but the errors still persist.

Not sure if I need to completely re-install WPmu, or if there is just an Apache server setting that needs to be adjusted / restored.
Tony

February 8th, 2010 at 9:03 pm
8

I agree with David. Placing an index.html page is probably a good alternative.
Sherif

February 9th, 2010 at 9:32 am
9

Thanks Tony. I noticed lately that newer versions of wordpress downloads include a file intex.php in the plugins directory ( and others too) that has a comment “Silence is golden”. This will cause a blank page to show.
Regards.

RSS feed for comments on this post · TrackBack URI

Have your say, your comments are very welcome.

I appreciate you taking the time to comment, please consider the following when commenting:
- Use your real name or a pseudonym you frequently use.
- Be relevant and contributive to the post.
- If you want to ad a link, pick a relevant link to the post.
Please note: I reserve the right to edit, censor, and/or delete any comment.

(About)

Welcome ...

Welcome to my blog! I believe that non techie people should be able to create a web presence affordably and with minimal effort!
My name is Sherif Elsisi and on this blog I share my knowledge, discovery and experience with hosting issues, Webmaster tools, security and usability.

About Me | Free blog setup | Value added Web Hosting