Security in WordPress: Are you still showing YOUR plugins?

Michael Kwan’s blog was recently hacked by a clever hacker who managed to hide his visit neatly. Michael will tell you all about the story at his blog. This event plus a couple of other events has got me thinking about blog security . I’ll be doing a fuller post on my own experiences, ideas and suggestions.

It’s going to be a long post, so it will take some time to put all the pieces together. In the meantime, why don’t you sign up for my feed… so you don’t miss it!

For more interesting articles on running a business, making money, operating your blog, , and so on…, subscribe to the RSS feed or email newsletter. There’s a lot more in the Random Walk to Wealth on InvestorBlogger dot com.

Apart from the obvious tactics of keeping your blog software, themes, and plugins uptodate, several bloggers have suggested ways to make it more difficult to find out which version of the blog platform, and which plugins, you are actually running.

The typical solution is to add a blank html file to the /wp-content/plugins/ directory which will show a blank page, or in John Cow’s case a Moo! But I was surprised to learn that this technique fails to stop an easy way around this. It is possible to discover quite easily any plugin that you can guess is installed and retrieve the directory listing for that plugin even though the higher level directory is masked. Take a gander:


(This image was taken from one of my other blogs with the WP-Cache plugin installed and active.)

I found the directory for the wp-cache folder for another blogger who had otherwised masked his plugins directory with the standard blank HTML file. Unfortunately, a determined hacker will be able to figure out which plugins you likely have, rifle your directory of files to see which files exist in the subdirectory of plugins, and perhaps hack your blog… I could see the contents of this wp-cache directory, plus all the other ones I knew this blogger to have been using. Mmm! I didn’t think that was particularly secure.

What alternatives are there?

Standard .htaccess

Yes, you could simply use an ‘htaccess’ file to secure the plugins from display but you would have to manually write and upload the file to each and every plugin directory that you already have. This could be done more than ten times on my blog, I think. It would look something like this:

Redirect 301 /index.html
Redirect 301 /index.htm
Redirect 301 /index.php

But I realized that with the most commonly suggested solution to prevent viewing plugins, namely a 301 redirect, it is still possible to view the contents of any directory of any plugin below the directory in which the htaccess file is placed. So even if you place the htaccess in the directory of any particular plugin, some plugins also contain subdirectories (for images, etc.) that will still be visible. Tiring work…, so…


If you have a lot of directories in the plugins folder, the simple and easy solution is to create an htaccess file with the following command: “IndexIgnore *” and place it in the /wp-content/plugins folder. This should prevent anyone seeing the listing in that folder or any folders below that level. It generates an error like this:


It’s not very pretty but it’s effective so browsers won’t display the contents. It could also be an opportunity wasted. Why?

HTML file

The standard blank HTML file mentioned above looks something like this:

<TITLE>Blank Page</TITLE>
<META HTTP-EQUIV=”Content-Type” CONTENT=”text/html; charset=utf-8″>

Then Michael Kwan suggested adapting it to a page redirect in a chat we were having. He wrote: “…i’m thinking that it’s also possible to do a index.php and then put in a redirect… if you keep this file handy then you can upload it each time you install a new plug-in…” I began to think: What a good way to turn a problem into an advantage! I’m using an HTML file, though, not a PHP file.

The blank HTML file doesn’t show anything, and inadvertent visitors will not know what’s wrong. And the 404’s only show that a page was not found. So why waste the opportunity? I’ve adapted some simple code that I use, and it should work a treat. I would like to attribute this code, but I can’t remember where it came from!

Page Redirect

With this page redirect, it’s easy to redirect visitors quickly and conveniently to the most recent posting or indeed any specific page you want:

<title>Your Domain</title>
<meta name=”robots” content=”noindex,nofollow”>
<meta http-equiv=”refresh” content=”1; url=“>
<p align=”center”>You are going to Your Domain Name now…
<br>If the page does load after 5 seconds or if you are (like me) impatient,
<a href=”“>just click here</a>.</p>

The only downside is that you’d have to add this to every plugin directory the first time. But you could easily keep a copy somewhere and copy it to any subsequent plugin directory before you upload the plugin.

Thanks to Michael Kwan, and others for providing information that helped to write this blog. I’d appreciate any updates on security, so just drop me a line, especially if I got something wrong.

(Post edited for language, clarifications, and so on.)

WordPress 2.3.3 Security Upgrade: A simple upgrade technique

Today’s announcement of an insecurity in WordPress 2.3.2 may have spooked a few people:

WordPress 2.3.3 is an urgent security release. A flaw was found in our XML-RPC implementation such that a specially crafted request would allow any valid user to edit posts of any other user on that blog. … If you are interested only in the security fix, download the fixed version of xmlrpc.php and copy it over your existing xmlrpc.php.

I have already applied the patch the blog, to ease my mind. To apply the patch, I’d recommend the following five steps:

  • Step 1: Download the patch directly from
  • Step 2: FTP to your account and login.
  • Step 3: Find the xmlrpc.php file in the / folder and rename it as xmlrpc.old.
  • Step 4: Upload the new file to the same folder.
  • Step 5: Once everything’s working, move the file to the root of your FTP User account out of harm’s way.
  • (If things go wrong: rename the new file you just uploaded as Then rename the xmlrpc.old as xmlrpc.php until you can fix the problem. Of course, this is a good technique but the patch is a SECURITY patch, so you really OUGHT to upgrade the xmlrpc.php to the latest one.

If you’re ever upgrading plugins or even themes, renaming a current file or directory as *.old is a good way to give you a Plan B, just in case things go wrong when you install the new theme or plugin or file. You can simply revert to the old versions, provided you haven’t updated the database. CAUTION in upgrading is ALWAYS advised.

And, just in case you think hacking can’t happen to you, read several postings on MattCutts blog about his true but less severe hacking. There’s also a post on John Cow’s blog that got me thinking about this issue.

If you know any other great posts about blog security, do add them in the comments!

Newsbytes on InvestorBlogger: Apple Hot Air?, Affiliate Linking, Banner Plugins for WP and more…

Well, there’s a lot of little stuff that I need to share with readers this Friday… So we’re starting off with five stories that caught my attention.

A quick review

Here are my top (I like them!) stories this week:

Do visit and comment on these stories!

Apple Air vs. Asus Eee II PC

Wow! My new friend Nam (from Nationwide and supplier for our school) and I were chatting about upcoming PC products as he was delivering my new PC Baby for my colleague. These exciting products are including the ASUS Eee II PC with 8.9″ screen (The Enquirer) and the MacBook Air. There are no real schematics on the first product yet, except it’s rumored to have WiMax support built-in and extra memory… But…

Still, this week so the announcement of the launch of the new MacBook Air priced at $1899 for the hard disk version and over $3K for the SD version. Enjoy looking at the pictures and watch the BBC video.

MacBook Air

Lust for this device, if you must! Just keep your credit card away from your computer screen…

Of course, you know which one is cheaper and which one is cooler. But Nam was saying “It’s better for companies simply to launch products with as little fanfare as possible, otherwise they risk sales as people wait for companies to launch products in the future. This means no sales now for existing products and no sales for forthcoming products either!”

NetAudioAds News: Hide those affiliate links

I got this newsletter from Charles Heflin, which is something I hadn’t considered about affiliate links and the reasons why affiliate marketers need to hide their links. I’ve bolded the important parts.

Hello Kenneth,

As the PPP opportuity grows we are seeing an increased
level of people signing up directly under the default
. has not advertised the PPP
opportunity except for the initial launch back on
December 6th. We are leaving the advertising to our
affiliates (you).

The reason I bring this up is because the only way that would get any traffic is because of you
With this fact in mind we find it interesting that we
continue to get sign-ups by the thousands under the main
account. Very little traffic comes from the search engines,
the rest is coming from affiliates.

The point I am trying to make is the only way we could be
getting that many direct sign-ups is because people are
ripping the affiliate ID off of affiliate links and just
going straight to and bypassing the affiliate
all together

This is a strong case for the fact that you should
“absolutely” cloak your affiliate link

This is just a heads-up … If you are not cloaking then
you are losing sign-ups.


Thank you,

Charles Heflin
Marketing Director
PPP, NetAudioAds Group

I’m looking at the possibility of running these ads on this blog for a short while as a test on one of my other blogs to test for acceptability and revenue. But I will consider hiding affiliate links now, I think.

Plugins: Banner Rotators

I’ve been trying different Banner Rotators over the past few months, starting off with Shylock Adsense which would actually rotate a lot of things, because you just need to paste the code. It was easy to use with Adsense because its system naturally limited you to the number of Adsense boxes per page permitted by Google. Worked nicely, very flexible and stable. But when my demands changed, I had to change the software, too.

I’m currently using WordPress Banner Rotator v2.1.3 to handle all the banners, and it seems pretty stable, though some functionality and documentation have issues. It’s commercial software though it won’t break the budget at $14.99 as a download. It’s working well in many ways, but there are some problems that I have discovered with features not working as anticipated. I’ll be doing a full review soon: active banner switch and future date expiry don’t work as anticipated (or not at all), but otherwise pretty stable. I’d like an option to weight ads, too. Some of these problems would be easily solved by setting up ‘ad management software’ and using that code within this software. Such software would manage the ads more effectively, such as OpenAds. It seems pretty stable, though.

Advertising Page

I’ve recently updated the Advertising Page with a lot more information, options and pricing. I’ve even added an ‘advertiser’s mailing list’ which will go live just as soon as I’ve figured out how to operate Zookoda.

Stories in the Works

I’m working on three stories that should come out in the next few days: including one on Technorati Rankings, Using your house as an ATM machine, and ‘E-commerce: Why are some sites so unfriendly to customers?”

Thanks… drop by again soon, will you?

Linkfest Haven, the Blogger's Oasis

This is an Open Trackback post. During this weekend, you can submit your posts to this site. The Open Trackback article URL is this. The reciprocal ping URL is this. You can also use Linkfests. Enjoy and have a great weekend!