• Subscribe to the low volume list for updates.

Google Dorking WordPress

Statistics for 2023 show around 450 million sites use WordPress, with that number continuing to grow. This makes WordPress an attractive target for those wanting to collect compromised hosting accounts for serving malicious content, spamming, phishing sites, proxies and web shells.


One of the reasons for WordPress's popularity is WordPress Plugins. Adding many functions such as shopping, forms, analytics and a vast array of others. According to the WordPress.org Plugins page there are over 60,000 free plugins.

Consider how prevalent security issues are in WordPress plugins and start to correlate that with full directory listings you can get from having directory indexing on wp-content/plugins/ it won't take long to find vulnerable installations.

Lets try some easy Google Dorks and check the results.

Google Dork 2023 results
index of "inurl:wp-content/                              36,000,000 results inurl: "/wp-content/plugins/wp-visual-slidebox-builder/    281,000 results

The following image shows the results of a google dork: intitle:"index of" config.php

screenshot of google search results

Whilst its not possible to hack a website using google dorks, it is a useful tool for gathering information, also known as recon, on a target which expands the attack surface an attacker has to play with.

Directory Indexing

Directory indexing may not be something that rings bells but it is a very important part of securing a WordPress blog, if only to at least make it a bit harder for the bad guys.

Showing the contents of a directory allows an attacker to gather information on installed plugins, themes, assets and others.

As part of the recon process, gathering this information provides an attacker with further options to explore such as if the plugin as a vulnerability they could use to gain a foothold on a targeted site.

It is possible to go to the browser or if you prefer the command line, below is a simple cURL example. This example pipes the results to html2text which is Python script that "converts a page of HTML into clean, easy to read ASCII text".

$ curl -s -X GET http://blog.example.com/wp-content/plugins/example-plugin/ | html2text

****** Index of /wp-content/plugins/example-plugin ******
 Name                 Last_modified    Size Description
 Parent_Directory                        -  
 CHANGELOG.md         2016-11-01 10:58 4.0K  
 assets/              2016-11-01 10:58    -  
 cache/               2019-09-06 21:45    -  
 composer.json        2016-11-01 10:58  749  
 config.php           2016-11-01 10:58  252  
 languages/           2016-11-01 10:58    -  
 plugins/             2016-11-01 10:58    -  
 src/                 2023-03-08 12:37    -  
 updates/             2023-03-01 12:38    -  
 vendor/              2016-11-01 10:58    -  
 views/               2023-03-02 12:38    -  
 example-config.php   2016-11-01 10:58 1.0K  
 example.php          2016-11-01 10:58 5.3K  

Disable Directory indexing for WordPress

Ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.

A suggested way to check is try: www.yoursite.com/wp-includes in the browser. If the result is a 403 Forbidden this means directory listing is disabled.

The WordPress Security Scanner online testing tool will check if directory indexing is enabled.

Secured WordPress?
Test WordPress and Server Security in 2 clicks