{"id":1466,"date":"2018-04-25T20:03:15","date_gmt":"2018-04-25T20:03:15","guid":{"rendered":"https:\/\/jdthomson.com\/?p=1466"},"modified":"2022-07-11T10:17:44","modified_gmt":"2022-07-11T10:17:44","slug":"leaving-wordpress-files-exposed","status":"publish","type":"post","link":"https:\/\/jdthomson.com\/leaving-wordpress-files-exposed\/","title":{"rendered":"Are you Leaving your WordPress Files Exposed?"},"content":{"rendered":"
Are you using WordPress, there may be an issue you don\u2019t know anything about that\u2019s affecting the security of your uploaded files. Just because you have it set up so that only people who can access have to go through an opt-in process, it doesn\u2019t always mean that the public can\u2019t access them.<\/p>\n
go to your site\u2019s upload directory.
\nFor example,<\/p>\n
WWW.yoursite.com\/wp-content\/uploads. \r\n<\/code><\/pre>\nYou may see your themes and plugins, numerous folders and lots of images. Take a closer look, and you will be able to see that file you uploaded as part of your product that you are selling.<\/p>\n
What this means that anyone with a little bit of knowledge can easily access and download any or all of your files for free.<\/p>\n
It\u2019s not hard.<\/p>\n
If you test this directory URL on other WordPress sites that you knew. Some had their upload directory are hidden, but others may not.<\/p>\n
How To Hide a WordPress Upload Directory?<\/h2>\n
There are two methods you can use.<\/p>\n
Plugin<\/h3>\n
Using Security Plugins can make it easy to restrict WordPress directory browsing so that no one can view your the uploads file.<\/p>\n
The two plugins I Recommend are:<\/p>\n
\n- Sucuri Security Plugin<\/li>\n
- Wordfence Plugin<\/li>\n<\/ul>\n
Manually<\/h3>\n
You can create a blank index.html or index.php file and then upload it to your WordPress wp-content\/uploads directory. This method will successfully hide your uploads directory from the public.<\/p>\n
Another way is to modify your .htaccess file which can be found in the root directory. This method can be a bit more complicated, but it will protect your data from nosey people or hackers.<\/p>\n
Hide Wp-config.php<\/h3>\n
The Wp-config.php file stores information about your WordPress database & site. You don\u2019t want anyone getting that information. This file can be hidden by modifying the .htaccess file in the root directory<\/p>\n
Add the following to your .htaccess file:<\/strong><\/p>\n<files wp-config.php>\r\norder allow,deny\r\ndeny from all\r\n<\/files>\r\n<\/code><\/pre>\nHide .htaccess<\/h3>\n
You will also want to protect the .htaccess file if.<\/p>\n
Add the following to your .htaccess file:<\/strong><\/p>\n<files ~ \u201c^.*.([Hh][Tt][Aa])\u201d>\r\norder allow,deny\r\ndeny from all\r\nsatisfy all\r\n<\/files>\r\n<\/code><\/pre>\nYou can find the .htaccess file using FTP and edited with a text editor app, but you can also see it in cPanel. Log in and go into your file management and allow display of hidden files. It should be in the root directory of your server.<\/p>\n
TIP:<\/strong><\/h2>\nif you choose option 1. You can use this file manager to upload the blank index.php to your wp-content\/uploads directory.<\/p>\n
I hope this has helped you make your WordPress site more secure. Is there any security issue you would like to know more about or If you have any questions, please feel free to leave us a comment.<\/p>\n<\/div>\n