My First Wordpress Plugin
By Preblogging in Blog Tips
The first plugin I am releasing is more of a security patch. Hopefully this will help to clean up a potential security hole in Wordpress, maybe Wordpress will include this in their next update.
People I am pinging who should think of installing this:
- A Blog About Nothing : http://www.ablogaboutnothing.com/wp-content/plugins/
- Smemon : http://www.smemon.com/wp-content/plugins/
- John Cow : http://johncow.com/wp-content/plugins/
- ClickaLite : http://www.clickalite.com/wp-content/plugins/
- E-Moms : http://www.emomsathome.com/blog/wp-content/plugins/
- Blogtrepreneur : http://blogtrepreneur.com/wp-content/plugins/
- Matt Cutts : http://www.mattcutts.com/blog/wp-content/plugins/
- Ledger Pad : http://ledgerpad.ath.cx/wp-content/plugins/
I’m sure there are more people on my Google Reader, but these were the first 8 that I checked who had left this potential hole open.
Are you for real ?
There is a potential problem letting people know what plugins you have, or what versions they are. If there is some known exploit that is linked to a plugin, it could be easy enough for someone to use it to their advantage . This could be done in the situation there is an XSS bug. The less a potential hacker can find out about your website, the safer you are. So if you are using Wordpress I would recommend you apply the fix.
The Fix
Upload a blank index.html file in the folder /wp-content/plugins/ . In fact I’ve a copy of one here for you index.htm just click on that to download the file.
I hope this is a help !
Help on Subscribing
14 Comment(s)
By Glen Allsopp | Reply
I don’t think it counts as a plugin
By BeckyS | Reply
How about …. “Security Patch via a plugin, and you upload only 1 file which is 3 bytes small and it could save you from a security breach !”
By Angela | Reply
That’s a really good idea. I haven’t thought about that in a long time. I used to put blank indexes into all my folders because people were going through my photo folders and just snatching whatever pictures they wanted. At least with the index.html, they had a harder time of doing so.
By A Blog about Nothing | Reply
Good tip, forgot all about that little “trick”. I’ll have to do it.
By Wendy Piersall | Reply
I had my webmaster Steve Johnson fix this – thanks for the heads up!
-Wendy
By web2.0ready | Reply
I have no doubt with the trick of putting index.html file in plugin folder. But it shouldn’t be difficult to guess what plugin you use from your blog.
By BeckyS | Reply
true web2.0ready, (thanks for your comment), if you had a insecure release of a plugin that might be a problem. I love your site btw.
You can as far as I know also turn off folder indexing on a server level too….
Glad I could help you Angela , Wendy & “A Blog About Nothing”
By smemon | Reply
cheers for the heads up.. not a huge issue but then again better safe than sorry
By bakkouz | Reply
Hello Becky, Nice blog you got here
Instead of leaving the index.html file blank, why not make it redirect to the main page? or any other page of your choice? it can be done with a very simple java script embeded into the html file. and not only for the plugins folder, but for the themes folder as well
(I myself don’t use the redirect but only because I like whoever stumbles onto those folders to see my fire throwing scary monster
)
By Preblogging | Reply
good idea bakkouz, you could always do a redirect via php too. I decided to keep it as simple . I liked your dragon, and your blog has a great layout !
By want to know my thoughts | Reply
Thanks for letting me know about this. I’m not a techie, and this is the first time I have heard this.
Kelli
By iwebie | Reply
I used to use Wordpress, but I got sick of all the security holes and switched back to MovableType.
By Blog Hoster | Reply
Great info,Thanks for shareing this.
By JamieDunne.com | Reply
Better Still folks,
Put a POP up, optin form, secret OTO (one time offer)…and make extra do$h
…or just put some warning that you are watching the snooper…
Its your Virtual real-estate…
jd