WordPress is very popular and easy to install. This very accessibility makes it a juicy target for those wanting to collect compromised hosting accounts for serving malicious content, spamming, phishing sites, proxies and web shells.
How prevalent is poor WordPress Security? Our Web Tech Report showed that application updates to WordPress are reasonable. Lets try some easy Google Dorks and check the results.
You may be thinking that these results are information leakage and not critical, however if you consider how prevalent security issues are in WordPress plugins and start to correlate that with full directory listings you can get from having directory indexing on “wp-content/plugins/” you will quickly start to find vulnerable installations.
“index of” inurl:wp-content/ 7,370,000 results
“inurl:”/wp-content/plugins/wp-shopping-cart/” 281,000 results
“inurl:wp-content/plugins/wp-dbmanager/” 11,000 results
Those plugins were chosen as examples as they are recent and have critical published exploits
Directory indexing may not be something that rings bells but it is a very important part of securing a WordPress blog, if only to at least make it a bit harder for the bad guys. Otherwise you are just leaving the door open, its like inviting a burglar into your home…. “come in guys take a look around”.
The WordPress Security Scanner online testing tool will check if directory indexing is enabled.