Did WordPress Leave Your Files Exposed?

If you’re using WordPress, there may be an issue with your uploaded files that you’re not aware of. Just because you have certain files set up so that people can only access Hide WP them after going through an opt-in or shopping cart process, it doesn’t necessarily mean that the public can’t access them for free.

Right now, go to your website’s upload directory. For example, yourwebsite.com/wp-content/uploads. What do you see? You may possibly see your premium themes and premium plugins that you have purchased, numerous folders (with many files within each of those folders), and lots of images. Take a closer look. Wait a minute, could that really be the MS Word file, PDF or MP3 that you uploaded as part of an information product you are selling or training you offer?

What does this mean? Well… what this means is that anyone with a little bit of internet and WordPress savvy can easily access and download any or all of your files-for free. It’s really not hard to do. I figured this out by mistake when surfing the internet for a particular topic and found a cool template that linked back to the person’s WordPress upload directory. I took a look to see what else was there, and low and behold, I felt like I had hit the jackpot! So if your settings aren’t right, some of the files may even show up in the search engines.

I tested this directory URL on numerous WordPress sites that I knew of. Some had their upload directory hidden, but others did not! I’m ashamed to say I was one of those who was exposed…

I did some pretty fast research to find out what changes needed to be made.

Hiding WordPress Upload Directory

One thing to do is create a blank index.html or index.php file and upload it to the wp-content/uploads directory. This will hide your uploads directory from people just like me!

Another (and even better) plan of action is to modify your .htaccess file in the root directory with Options All -Indexes. This is more complicated, but it will protect your files and folders from hackers. It disables WordPress directory browsing so no one can view your files and folders.

Protect Wp-config.php

This file stores information about your website and WordPress database, and you certainly don’t want anyone getting their hands on that information! This file can be protected by modifying the .htaccess file in the root directory by adding the following:

<files wp-config.php>
order allow,deny
deny from all
</files>

Protect .htaccess

While you’re at it, you will probably want to protect the .htaccess file itself!

<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>

The .htaccess file can be found via FTP and edited with Notepad, but the easiest way to find and edit it is through your host’s cPanel (if your hosting provides this). Log in with the instructions given to you by your web host, go into your file management and allow display of hidden files. It will be in the root directory. This file manager is also the easiest way for you to upload the blank index file to the wp-content/uploads directory, if you choose to do that instead of modifying the .htaccess file.

This was a daunting project when I decided to do all of it because I found some conflicting and unclear information. Once I figured it all out and was finished, I realized it wasn’t as hard as it seemed. If you’re not the techie type, it may be better not to mess with the files and have your webmaster or technical virtual assistant handle it instead. Always remember to do a complete backup of your website first and make sure you get these security issues fixed today!

Leave a Reply

Your email address will not be published. Required fields are marked *