I once had a reader show up on one of my sites who became a bit obsessive about the community and when I eventually had to ask them to moderate their endless barrage of posts and comments and replies they came back at me with the creepy response that they had been snooping around the backend of the site and that they had some experience with hacking and that I should be more careful.
I asked them what exactly they were looking for and they filled me in that it was nothing in particular – a lot of people like to hack things just because they can, for bragging rights or even in some cases to test and help out the hackee.
Whatever the case, I learned my lesson.Â One of the most important steps you can take to preventing unwanted snooping around your virtual back office is to ensure that the contents of your folders are not easily viewable by simply typing in their path in a browser line.
To see what I am talking about – go to your own website and add
to the end of your main URL.
What do you see?
Now remove what you added above and instead append:
Here’s a third one to test out:
If that doesn’t spook you, it should.Â Not all plugins and themes are created equal; some are still in early development and may be filled with vulnerabilities, and security leaks that can be exploited.Â Affording someone with the know-how and malicious intent an easy glance at all the plugins or themes you are using, is like handing a ball of chum to a hungry shark.
In the third example, you are allowing anyone a direct download link to anything you may ever have uploaded through your site.Â This may include images you changed your mind about using, software, mp3s or whatever else.Â It kind of defeats the purpose of all that nice formatting, affiliate marketing and newsletter sign-ups forms doesn’t it?
The solution is really very simple:
Create an empty text file and rename it index.html
Drop that file into the top level of each of those directories (for example, using an FTP client, drag and drop your empty index.html file right onto your “Themes,” “Plugins” and “Uploads” folders), and any other directories that do not already have an index file (make sure to look for index.html, index.htm and index.php How the West Was Fun dvd – you do NOT want to overwrite these or even put the above file in a directory that normally uses any of the above, or it will potentially break your site).Â If you don’t know what you are doing, make sure you back up your site first.
The above can also be handled by using an .htaccess file, but not everyone will be able to implement an .htaccess file, so I feel the above method for at least keeping the contents of these folders private is the best one for those of you less familiar with advanced hosting methods.
I found a nice article and discussion thread that echoes the idea above, and also offers some additional security tips at DailyBlogTips.com
Be sure to read the comments posted in response to their article for more insight and ideas about working with this matter.
About the Author:
Keram is a new media consultant, music producer, actor and writer who opines on SEO at blogging-fool.com