WordPress is very popular and easy to install. This very accessibility makes it a juicy target for those wanting to collect compromised hosting accounts for serving malicious content, spamming, phishing sites, proxies and web shells.
You may be thinking that these results are information leakage and not critical, however if you consider how prevalent security issues are in WordPress plugins and start to correlate that with full directory listings you can get from having directory indexing on
wp-content/plugins/ you will quickly start to find vulnerable installations.
index of" inurl:wp-content/ 7,370,000 results inurl:"/wp-content/plugins/wp-shopping-cart/" 281,000 results inurl:wp-content/plugins/wp-dbmanager/" 11,000 results
Those plugins were chosen as examples as they are recent and have critical published exploits
Directory indexing may not be something that rings bells but it is a very important part of securing a WordPress blog, if only to at least make it a bit harder for the bad guys. It is good practice to ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or
.htaccess. Otherwise you are just leaving the door open, its like inviting a burglar into your home.... "come in guys take a look around".
The WordPress Security Scanner online testing tool will check if directory indexing is enabled.