Enter your keyword

Another Easy–If Inelegant–Way To Increase WordPress Security: Blank HTML Page in Plugins Folder

Another Easy–If Inelegant–Way To Increase WordPress Security: Blank HTML Page in Plugins Folder

Photo by no-ozone at DeviantArt

Photo by no-ozone at DeviantArt

My experience of late has made it clear to me that one of my missions will now have to be increasing the security of WordPress blogs, whether I like it or not. I did contact a blog security “expert” for help with this problem–nearly two weeks ago, I contacted him, based on a referral. But here’s the thing with internet people: a lot of them are bad about getting back to you in a reasonable amount of time. Not all of them, of course (have I raved about the excellent customer service I’ve been receiving at Liquidweb enough yet?), but some tend to be bad at this part of their business. And I hate asking for help, it’s one of my character flaws, so when I ask for help and don’t get it, this only makes me more determined to become self-sufficient. Which is like a really long way of explaining that while I was trolling the internet for new ideas on increasing security against break-ins to my blog, I stumbled upon a pretty simple way to do just that.

I don’t know how much you know about HTML. Oh wait–yes I do–you don’t know anything about HTML (but I love you anyway). Well, back in the day we used to use only HTML for pages, and we still use HTML pages on occasion these days, particularly for blocking pages from the sight of viewers, whether temporary or permanent. An example of this use is when a site is undergoing maintenance, and you visit it, and get a static page informing you of this. This is simply a temporary html page that has been inserted into the website so that you don’t see all the messy stuff going on behind the scenes. It’s like a virtual version of the butcher paper they put in store windows when they’re getting it ready to reopen. It takes about ten seconds to make an html page, and it saves a lot of time for your viewers and for yourself while you’re doing maintenance, because you won’t be getting all kinds of extra page requests to your server while people are trying to figure out what the hell is going on.

What does this have to do with blog security? Well, the plugins folder in WordPress (site–>wp-content–>plugins) is visible if you view it in a browser by default. You can go to the page, and see what plugins somebody has installed on their site. Why? Because I think it has to be this way in order to function correctly, though that may be a question for Matt Mullenweg. Why does it matter? Because if somebody knows exactly what plugins you have installed on your site, it is easier for them to hack into it. Plugins are little programs that have back doors built into them, both by mistake and by design, you see–so if somebody knows what they are doing, and sees you have LinkWithin installed, and happens to know that LinkWithin has a back door that they know how to access . . . well, you can see that this might be a problem. Potentially, they can find a way into your website.

Now don’t go freaking out. As far as I know, LinkWithin doesn’t actually has any back doors. That was just a hypothetical example. The point is, it’s better to not let everybody know all the plugins you have installed on your site, if you can avoid it. So having that plugins directory visible is a crappy idea from a security point of view. So what can we do about it? Easy. We’ll install a blank html file in there so that any time somebody visits that page–and by the way, there is no legitimate reason that anyone would be visiting that page in a browser, that I can think of–they will just get a blank screen. Try it. Here’s mine. Cool eh?

So how can you do it? Well, if you have a web design program like Dreamweaver, you can just make a blank html document and save it as “index.html,” and then upload it to your server (url–>wp-content–>plugins) via your FTP program. If you don’t have one, you can right-click on my page above and save it to your desktop, and then upload it to your site the same way. If you have multiple installations of wordpress (like I do), you need to make sure that you have it in the plugins folder for every install. Why does it have to be called index.html? Well, because when a folder is called up in a browser, it defaults to whichever page is called “index”. So the naming is crucial here, people. Good luck.

Comments (5)

  1. Aug 7, 2009

    Does it have to be blank?

    I mean, could it have text? Like text that says something like, “Listen, asshole, stop trying to hack my website. How pathetic are you?”

    Because I think that would be more fun.

  2. Aug 7, 2009

    LOL! Yes, it can have text, and I was thinking about putting text in there but was ultimately too lazy. You’d just type it in and save it as index.html the same way.

  3. Aug 7, 2009

    It would be really fun to actually target the text so precisely that the person feels like it’s truly meant just for them. That’s a fun way to increase someone’s heart rate.

    Because, let’s face it…for most of us, the list of people who (a) hate us enough to hack us and (b) are evil enough to act on it is pretty short. Unless you’re a big juicy target (like CNN or Twitter or whatever), you pretty much are looking at a known perp.

    A graphic of a map with an arrow pointing to the town they live in, with an arrow that says, “YOU ARE HERE. DID YOU THINK I DIDN’T KNOW IT WAS YOU?.” would be fun. Or if you could get code that flashes their IP address on the screen with something like, “GOTCHA BITCH! WATCH FOR THE BIG FAT ENVELOPE FROM THE LAWYERS!”

    I wish I had the technical skills to match my penchant for calling out evildoers. I could be the Internet Avenger. That’d be a fun job.

  4. Aug 7, 2009

    Anna- I appreciate your sharing of all this information you gathered from your hardships.
    By any chance, is Kerry your evil twin? She has some interesting ideas about vengence.

  5. Aug 8, 2009

    @Tim, no, Kerry is actually her own evil twin. But yes, I do admire her vengeance plotting.

Post a Comment

Your email address will not be published.