Right now, go to your website’s upload directory. For example, yourwebsite.com/wp-content/uploads. What do you see? You may possibly see your premium themes and premium plugins that you have purchased, numerous folders (with many files within each of those folders), and lots of images. Take a closer look. Wait a minute, could that really be the MS Word file, PDF or MP3 that you uploaded as part of an information product you are selling or training you offer?
What does this mean? Well… what this means is that anyone with a little bit of internet and WordPress savvy can easily access and download any or all of your files—for free. It’s really not hard to do. I figured this out by mistake when surfing the internet for a particular topic and found a cool template that linked back to the person’s WordPress upload directory. I took a look to see what else was there, and low and behold, I felt like I had hit the jackpot! So if your settings aren’t right, some of the files may even show up in the search engines.
I tested this directory URL on numerous WordPress sites that I knew of. Some had their upload directory hidden, but others did not! I’m ashamed to say I was one of those who was exposed…
I did some pretty fast research to find out what changes needed to be made.
Hiding WordPress Upload Directory
One thing to do is create a blank index.html or index.php file and upload it to the wp-content/uploads directory. This will hide your uploads directory from people just like me! 😉
Another (and even better) plan of action is to modify your .htaccess file in the root directory with Options All -Indexes. This is more complicated, but it will protect your files and folders from hackers. It disables WordPress directory browsing so no one can view your files and folders.
Protect Wp-config.php
This file stores information about your website and WordPress database, and you certainly don’t want anyone getting their hands on that information! This file can be protected by modifying the .htaccess file in the root directory by adding the following:
<files wp-config.php>
order allow,deny
deny from all
</files>
Protect .htaccess
While you’re at it, you will probably want to protect the .htaccess file itself!
<Files ~ “^.*.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>
The .htaccess file can be found via FTP and edited with Notepad, but the easiest way to find and edit it is through your host’s cPanel (if your hosting provides this). Log in with the instructions given to you by your web host, go into your file management and allow display of hidden files. It will be in the root directory. This file manager is also the easiest way for you to upload the blank index file to the wp-content/uploads directory, if you choose to do that instead of modifying the .htaccess file.
This was a daunting project when I decided to do all of it because I found some conflicting and unclear information. Once I figured it all out and was finished, I realized it wasn’t as hard as it seemed. If you’re not the techie type, it may be better not to mess with the files and have your webmaster or technical virtual assistant handle it instead. Always remember to do a complete backup of your website first!
Make sure you get these security issues fixed today! If you would like me to take care of these issues for you, send me an email at lisa@thevirtualsolution.com.
Did you find this blog post helpful? Please share with your friends and leave your comments below!
Great post on wordpress files exposed. I swear sometimes WP and websites in general are going to be the death of me some days.
Technology is great when it works….but oh so maddening when it doesnt. Thank You for your technology gifted mind!
Roberta E. Eastman
Business Office Management Medic
Roberta Eastman Enterprise
Results Are In Your Thinking
Get Your Free Business Skills Assessment
9 Critical Business Skills You Must Have and How To Get Them Now!
http://ree.robertaeastman.com/free-resource-reveals2-2/
I completely agree! Fortunately, the advantages of WordPress outweigh the issues. As I stated in another comment, if this is something we can do ourselves (those who are comfortable trying it), I would think that WordPress could and should integrate it into their software…
Hi Lisa,
Wow! This is incredibly helpful –
What a scary thing to discover your files all out there for the public to see and take as they please!
I’m taking your advice effective immediately.
Thank you so much for sharing!
~Christine
Yes, I was quite shocked when I discovered it. I’m surprised WordPress hasn’t done something about that. If it’s something we can do ourselves, I wouldn’t think it would be difficult for them to integrate it into their software somehow.
Holy mackerel! I’ll have to look into this. My web guy is pretty sharp. Hope I don’t find anything amiss.
Rowena, it all looks good to me at the moment! Seems like he has it all under control. 🙂
Hi Lisa,
Thanks for sharing this post. This is truly helpful. I love using wordpress and the fact that some of our files are prone to be exposed to the public scares me. Thanks for the info!
Lorii Abela
Owner/President
http://manifestingmydestiny.com/
Thanks for the comment! WordPress is great in so many ways, but like everything else, it does have its issues…