Another Easy–If Inelegant–Way To Increase WordPress Security: Blank HTML Page in Plugins Folder
My experience of late has made it clear to me that one of my missions will now have to be increasing the security of WordPress blogs, whether I like it or not. I did contact a blog security “expert” for help with this problem–nearly two weeks ago, I contacted him, based on a referral. But here’s the thing with internet people: a lot of them are bad about getting back to you in a reasonable amount of time. Not all of them, of course (have I raved about the excellent customer service I’ve been receiving at Liquidweb enough yet?), but some tend to be bad at this part of their business. And I hate asking for help, it’s one of my character flaws, so when I ask for help and don’t get it, this only makes me more determined to become self-sufficient. Which is like a really long way of explaining that while I was trolling the internet for new ideas on increasing security against break-ins to my blog, I stumbled upon a pretty simple way to do just that.
I don’t know how much you know about HTML. Oh wait–yes I do–you don’t know anything about HTML (but I love you anyway). Well, back in the day we used to use only HTML for pages, and we still use HTML pages on occasion these days, particularly for blocking pages from the sight of viewers, whether temporary or permanent. An example of this use is when a site is undergoing maintenance, and you visit it, and get a static page informing you of this. This is simply a temporary html page that has been inserted into the website so that you don’t see all the messy stuff going on behind the scenes. It’s like a virtual version of the butcher paper they put in store windows when they’re getting it ready to reopen. It takes about ten seconds to make an html page, and it saves a lot of time for your viewers and for yourself while you’re doing maintenance, because you won’t be getting all kinds of extra page requests to your server while people are trying to figure out what the hell is going on.
What does this have to do with blog security? Well, the plugins folder in WordPress (site–>wp-content–>plugins) is visible if you view it in a browser by default. You can go to the page, and see what plugins somebody has installed on their site. Why? Because I think it has to be this way in order to function correctly, though that may be a question for Matt Mullenweg. Why does it matter? Because if somebody knows exactly what plugins you have installed on your site, it is easier for them to hack into it. Plugins are little programs that have back doors built into them, both by mistake and by design, you see–so if somebody knows what they are doing, and sees you have LinkWithin installed, and happens to know that LinkWithin has a back door that they know how to access . . . well, you can see that this might be a problem. Potentially, they can find a way into your website.
Now don’t go freaking out. As far as I know, LinkWithin doesn’t actually has any back doors. That was just a hypothetical example. The point is, it’s better to not let everybody know all the plugins you have installed on your site, if you can avoid it. So having that plugins directory visible is a crappy idea from a security point of view. So what can we do about it? Easy. We’ll install a blank html file in there so that any time somebody visits that page–and by the way, there is no legitimate reason that anyone would be visiting that page in a browser, that I can think of–they will just get a blank screen. Try it. Here’s mine. Cool eh?
So how can you do it? Well, if you have a web design program like Dreamweaver, you can just make a blank html document and save it as “index.html,” and then upload it to your server (url–>wp-content–>plugins) via your FTP program. If you don’t have one, you can right-click on my page above and save it to your desktop, and then upload it to your site the same way. If you have multiple installations of wordpress (like I do), you need to make sure that you have it in the plugins folder for every install. Why does it have to be called index.html? Well, because when a folder is called up in a browser, it defaults to whichever page is called “index”. So the naming is crucial here, people. Good luck.