Don’t Help Pirates and Do Not Create index.php!

In the same branch as Don’t help pirates and stop include all!, here comes a second one which is a following of the reflexion but with index.php files.

Which index?

I’m talking about index.php file containing the most of the time, either nothing, either a “Silence is golden”, even i’m talking about the plugin with the same name Silence is Golden Guard. We do not recommand this plugin, you’ll understand later.

This file is used to avoid the listing of the folder content, if maybe on an new installation I go to /wp-content/plugins/ I’ll find this:

And showing the list of installed plugins (actives or not) is never a good thing to do, because if only one plugin is know as vulnerable tomorrow, a attacker will exploit it on your website for sure.

So do not let this listing on the Internets, and avoid the usage of plugins like My Plugins…

A danger?

The danger comes from the exploit of a vulnerability that allow a file to be written, but not created (because of chmod for example).

The danger comes from the /uploads/ folder, there is no reason to contain a .php file.

Let’s imagine that a pirate could create a .php fie in this folder, it could be very bad for you. The MailPoet flaw was doing that in 2014.

But now, let’s imagine that the creation rights are not allowed but with move_uploaded_files(). This is the most secure case because it only allows upload from WordPress core.

Ok, but … what if a plugin or someone added some index.php empty files in all your subfolders? A pirate could now edit the already created file, update it, wow!

You wanted to protect your folders from listing but you permitted a pirate to add his content in your installation. How bad is that?

How to really protect yourself?

The real protection is to disallow the listing from thentop, directly in your apache/ngniw configuration like that:

Options -Indexes

location / {
    autoindex on;
}

Using IIS? Just go to your folder setting and deactivate the option Directory Listing.

Last thing, we talked about index.php but it works for any useless file like hello.php!

It’s up to you to not help the pirates, remove their tools!

About Julio Potier All of Julio Potier's posts

Creator of SecuPress and the LearnWPSecurity Training, Julio is also lead organisator of WordCamp Lille.
Compulsive speaker, Senior Trainer and WordPress Engineer, he's a specialist in security since 2002 and contribute to WordPress various ways.