Redirecting to 404 on wp-content request

  • Hello!

    I’ve followed the guide “Hardening WordPress” and I am pretty confident my site(self hosted) is pretty secure after following the instructions provided.

    One thing I’ve noticed is that after disabling directory listing if my .htaccess, if browsing to wp-content/uploads I am shown a “forbidden” page but if I simply try wp-content, I simply see a blank page. Is this default behavior or should the latter be redirecting to 404?

    While on the subject, is it best to 404 a page instead of forbidden? If so, how do I achieve it?

    Thank you.

Viewing 3 replies - 1 through 3 (of 3 total)

  • Hi Lee,

    A white page covering your wp-content folder is just fine. What you are trying to avoid is a scenario where the directory index is unprotected and an adversary can browse everything in the wp-content directory. You’ve got that protected so that is very good.

    Your next question on 404 vs. 403 forbidden is more philosophical. Having the content protected is what’s most important. In my experience conducting penetration tests and security audits of WordPress, a 404 is probably more helpful for you, the site owner, because when adversaries see a forbidden directory they think, “this is interesting, let’s find a way in.” When an adversary comes across a 404 they think, “nothing here, better move on” and then they move to the next target in the attack chain. I’m sure there are other opinions on the matter.

    If you’d like to implement a scenario like this, you can set your .htaccess to forward your 403 errors to your 404.php file. Please note, this isn’t an airtight method. Depending on how you implement it, advanced attackers will see the 403 return code in the header then the 301 call to redirect to the 404.php error trap page. A programmer more skilled than me may be able to suggest ways to mask your header return code using .htaccess. Here is an awesome guide that describes many different techniques to push your 403 to a 404.php error page.

    https://stackoverflow.com/questions/10509849/always-return-a-404-when-you-decide-to-return-a-403

    I really like the first approach outlined in the guide, first make a copy of your 404.php file in WordPress and rename it http-errors.php and then add these lines to the .htaccess file. 

    ErrorDocument 400 /http-errors.php
ErrorDocument 403 /http-errors.php
ErrorDocument 404 /http-errors.php

    Adversaries will have a more difficult time ascertaining useful information from your error trap page.

    Kudos to you for going through the effort to harden your WordPress install! Many people don’t. Make sure you’re practicing good password hygiene and not re-using passwords – especially for your admin account.

    Best wishes,
    Kyle

    I’d leave those pages as ‘forbidden’. They are not broken or missing a link… they are responding with an error code stating they are not available and are in fact forbidden territory for a web browser.

    I think most well-behaved search engines deal with the forbidden error code and resulting page differently than they would with a 404. You might ask an SEO expert to explain that but that’s one reason to deal with directories thusly.

    The wp-content directory by itself probably has a blank index file in it which renders a blank page instead of a forbidden page. You might want to add that directory to your forbidden directories in htaccess also in order to ‘toss’ the error and then the forbidden error page itself.

    The forbidden pages reside with the error pages that your web server uses to make a more user-friendly or user specific page instead of just tossing an error and a blank page at the browser. You can customize all these messages.

    You might also notice some error pages are quite generic or nondescript while others come with your website’s header, a message, and the footer which is how you can tell if the error came from the web server or the WordPress install itself.

    What you really don’t want is to respond with an index of the directory if there’s no reason for anyone to be browsing that directory.

    BTW: the HTTP error pages are easily customizable if you wish. You can make them more suitable to your audience, redirect them, add helpful links, etc.

    The WordPress error pages can also be changed as you see fit. I like number ‘9’ in the examples below. Looks like my cat but none of my equipment looks that modern.

    https://www.wpbeginner.com/showcase/best-of-best-wordpress-404-error-page-designs/

    Me? I like to snoop!

    Thread Starter Lee

    (@junior)

    Hi Kyle,

    Good to know that a blank page for wp-content is ok. I did as you suggested and by requesting /wp-content/uploads/ I am redirected to my 404 page instead of forbidden.

    I am too using a strong randomly generated password and also took the time to hide my wp-login page and setup 2factor authentication.

    Thank you for the great explanation!

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘Redirecting to 404 on wp-content request’ is closed to new replies.