Calling WordPress Security Experts: WP-Includes question!

  • Hi there,

    This is more of a personal question for my own curiosity.

    One of my websites appears to be vulnerable because the directory listing (/wp-includes) is enabled. It’s not difficult to fix, however I’m wondering how serious actually is this if none of the files can actually be accessed?

    If I click on basically any file, including user-meta and functions.php it either returns a HTTP 500 or simply shows me a blank screen. So how would a hacker actually benefit from accessing the directory if none of the files can be accessed?

Viewing 1 replies (of 1 total)
  • Moderator Yui

    (@fierevere)

    永子

    They can always access (if web server permits direct PHP execution in those folders) those files, content of folder is known by looking inside WordPress distribution archive.

    Allowed listing can be a threat when:
    you have plugins which may create “hidden” files, which should not be accessed by unauthorized people.
    Backup archives, Logs (including Payment gateway logs), if those are seen and can be downloaded – this is bad for you.
    Of course there should be better measures for protecting such files, but using random seed in file name and forbid directory listing is the basic one, which offer at least temporary protection for such sentitive data.

    It is good to forbid listing by default and allow it only in folders where you share files for direct downloads (file archives, like https://ftp.gnu.org/gnu/gcc/ )

    • This reply was modified 3 years, 10 months ago by Steven Stern (sterndata). Reason: fixed spelling: treat -> threat :-)
Viewing 1 replies (of 1 total)
  • The topic ‘Calling WordPress Security Experts: WP-Includes question!’ is closed to new replies.