Most Wordpress users who logged into their control panel saw the link to Holy Plugins Batman! today. The gist of the story is that there’s an ungodly amount of indexed wordpress plugin directories in Google. If you read the comments section on the blog however, many people are confused as to why this is actually a bad thing.

There’s really one simple reason. Security. Very few plugins are designed to be called directly, and generally will give you an error if they are. These errors usually give what’s called a “full directory disclosure”. In other words, they’ll tell you the entire path to the actual file you’re looking at. To the lay person this may not be useful, but to a hacker who knows what he’s doing it’s the first step in violating your website. For instance, with

The next security risk could be even more severe. Often times updates are released to wordpress as well as plugins that address certain security holes. If you have Indexing enabled, it just makes it easier for someone to figure out what versions you’re running.

I am by no means a security expert. I’m sure there’s 100 other ways to take advantage of the information you’re given just by having indexes open. There are plenty of plugins that allow you to “upload” files. If there was a security hole in one, a hacker could upload any number of scripts that would not only damage your website, but could be used to send out spam, create DDoS botnet, or any other of a thousand nefarious things.

Now, I’m not placing the blame here on bloggers shoulders. A lot of CMS and forum applications will include an index.html page in every directory, regardless if it’s used or not. Wordpress could solve this simply by including an index.php or html that redirects to the homepage.

Anyway, here’s how to fix it if you haven’t read the article:
Edit your .htaccess in your root web directory. Insert the following:

Options All -Indexes

Alternatively, create an index.html or index.php file and place it in each subdirectory (and each subdirectory of subdirectories, etc.). The file can be blank, or it can be something nifty like:

No, you can not access this directory! Not yours!

So, Next time, when someone as smart as Mark Ghosh suggests that something is a bad idea, it probably is.