Good thread mate, but i have a question.
With adding the code snippet
<files wp-config.php>order allow,deny deny from all</files> Options -Indexes
is the "Options -Indexes" portion, which is outside the brackets, simply added at the end?
#dumbnewbie :)
(02-04-2015 05:06 AM)WorldWarrior Wrote: [ -> ]This is from the guy from way back when who created some Kunaki products, his name is Paul Mihai Pavel, an Indian guy. He had some practical products back then before the internet started to explode with WP and other apps and gadgets
Hi, You're correct, he doesn't produce tons of products unlike some ppl, I bought his WP Tube Squeeze a couple of years ago and it worked like a charm, no conflicts or problems, just $12 although now there's a lot of alternatives like Landing Page Monkey, but $35 maybe worth it I don't know, in both cases the video doesn't work on mobile devices.
Yes. You want to put both sections at the end of the .htaccess file. And I am referring to the .htaccess file in the root directory, not in the theme directory.
The code in the files wp-config.php section stops anyone without direct access (FTP/ SFTP) from accessing and editing the file.
The "Options -Index" code stops anyone from being able to browse the file folders.
Also, the display formatting on this forum is not that great. The Options -Index code should be below the wp-conf.php code.
Putting this code in an .htaccess file won't stop everyone, but it will deter most folks.
Good thread mate, but i have a question.
With adding the code snippet
order allow,deny deny from all Options -Indexes
is the "Options -Indexes" portion, which is outside the brackets, simply added at the end?
#dumbnewbie :)
I am surprised that there have not been more WSOs on WP security. Out of the box, WP has a lot of security leaks. You can go to almost any WP site and have access to downloads, just go to http://www.site-name.com/wp-content/uploads/ and it's an open bucket.
At the very least, a blank index.html file should be put into every folder to stop folks, like us :-), from browsing. There is a lot that can be down by just adding a few lines of code to the .htaccess file.
Hi Twotokes, Thanks for the reps, truly appreciated, there was a WSO called Local Lead Boss not sure if shared here, I have a copy if anyone needs it. Just a PDF but really helpful in plugging the holes in WP. Of course there was an upgrade / upsell to automate and send emails to clients offering WP "Fixes" Since I changed my hosting company I've had fewer security issues, that's a big factor for me, better to pay a little more and I can sleep better. (although in my case was I actually paying more previously so always good to check around)
Probably the closest that you can get to automatically securing WP folders is to edit the .htaccess file.
Open up the .htaccess file and add the following code snippet at the end and that will keep anyone from browsing the file folders of a WP site.
PHP Code:
<files wp-config.php>order allow,deny deny from all</files> Options -Indexes
If you want to do more research, this is an excellent site for information on editing the .htaccess file. http://www.htaccess-guide.com/
(02-04-2015 09:27 AM)WorldWarrior Wrote: [ -> ]I agree with you on WP being so darned easy to breach. I even saw this company that claim to "Live Security" and their filepath was open for all to access:
Magic Button :
OPERATION WINDIGO - We Live Securitywww.welivesecurity.com/wp-content/uploads/.../operation_windigo.pdf
to malicious content, to send spam messages, and to steal more credentials from ...... W P. ,. Figure 3.20 Linux/Cdorked redirection victims by operating system.
One of the services I offer professionals in the coaching industry is monitoring and updating their sites every month so that their files (through the path you mentioned) are not open to the public. I don't tell them what I do but I show them the before and after scenarios. They can't argue with seeing their precious files open to the public and by the next day it's secured.
All stuff I learned online through BH forums!
Is there a way to automatically hide these folders on WP?
I know that each month a new /0x files is created and unless it's manually locked it's wide open. I'm sure there's a way to stop having the manual update each month, so does anyone know?
Probably the closest that you can get to automatically securing WP folders is to edit the .htaccess file.
Open up the .htaccess file and add the following code snippet at the end and that will keep anyone from browsing the file folders of a WP site.
PHP Code:
order allow,deny deny from all Options -Indexes
If you want to do more research, this is an excellent site for information on editing the .htaccess file. http://www.htaccess-guide.com/
(02-04-2015 09:27 AM)WorldWarrior Wrote: [ -> ]I agree with you on WP being so darned easy to breach. I even saw this company that claim to "Live Security" and their filepath was open for all to access:
Magic Button :
OPERATION WINDIGO - We Live Securitywww.welivesecurity.com/wp-content/uploads/.../operation_windigo.pdf
to malicious content, to send spam messages, and to steal more credentials from ...... W P. ,. Figure 3.20 Linux/Cdorked redirection victims by operating system.
One of the services I offer professionals in the coaching industry is monitoring and updating their sites every month so that their files (through the path you mentioned) are not open to the public. I don't tell them what I do but I show them the before and after scenarios. They can't argue with seeing their precious files open to the public and by the next day it's secured.
All stuff I learned online through BH forums!
Is there a way to automatically hide these folders on WP?
I know that each month a new /0x files is created and unless it's manually locked it's wide open. I'm sure there's a way to stop having the manual update each month, so does anyone know?
SteveW123 Wrote:If you have a copy of Merriam Webster's 11th ed. collegiate dictionary, turn to page 662. Under "irony" you'll see a copy of this sales page and product!