I have been working on a blog post for over a week now a while regarding WordPress security and as I was going through my notes I had an idea : so I picked 5 websites randomly from people that belong to a facebook group where I hang out regularly to check if their uploaded content was protected. The result blew my mind: 4 out of 5 websites were not protected!
(If you are part of our maintenance program, no worries you are protected already 🙂 )
If you have a WordPress site you absolutely need to read this: I am going to share with you how to check if your content is accessible by anyone, and I’ll show a quick fix to prevent your folders from being browsed, and that something you can do yourself, right now. (and no, creating a index.html file is not enough).
1) Find out if your content is exposed:
To find out if your content is not secure, in your browser go to the following url :
[yourwebsiteurl]/wp-content/uploads
just replace [yourwebsiteurl] with your domain name like wphelpclub.com for me.
if you see a list that looks like the picture below with jpg and pdfs, folders like 2011, 2012, 2013 (this is where all your images and pdfs you uploaded are stored), that means that everything that you uploaded to your server can be downloaded by anyone: Â your online courses pdfs, downloadable sheets, images, even your backups!! All they have to do is right click and save the files to their computer!!
2) If you’re vulnerable, do not panic, it’s been there for months if not years, it does not have to be fixed this second, so.. deep breath.. let’s do something right now to block access to this folder and all the files and folders below it!
1) You will need to login to your Control panel on your hosting account (also called cpanel, make sure you can view hidden files because we are going to edit a hidden file that starts with a . )
2) look for the file .htaccess in the folder where WordPress is installed, for me it’s public_html
3) edit the file (select it then click on edit)
add the following line to the file:
Options -Indexes
Save the file and that’s it!! Give it a try!
Hi Nathalie,
Thank you for the information. I made the changes in my hostgator and now if I search my website/wp-content/uploads it goes to my website showing page not found and a 404 error. Is that the way it is supposed to look after adding the one line of text to the htaccess file? Just want to make sure I did it correctly.
Thank you for the advice, and the heads up on protecting our content.
Hi Lana, yes you did it correctly, it will sometimes show you a 404 (which means not found) or 304 (forbidden) either way your content is now protected 🙂
Thank you so much. I had no idea my content was out there for anyone to access. It appears to be fixed now.
Awesome Jennifer! I’m glad it helped!
Thank you – I just finished. So easy to follow along:)
Thank you for your comment Melissa 🙂
This was amazingly helpful. Thank you!
I had NO IDEA this was out there. I’m sure most of us don’t. What a great post – super helpful and GREAT instructions. I’m not a wizard at this stuff but I was able to follow this and completed it successfully. My stuff is protected! Thank you!
Wow, do I ever appreciate you writing this article. It worked perfectly!!
Patricia
Thanks Nathalie, I didn’t know you could do this but I’ve checked mine and it’s all ok – whew!
Thanks so much for the tip! I had no idea my content was out there for the world to grab.
Much appreciated!
Pam
You’re welcome Pam!
thank you so much for this extremely useful information, nathalie! i will be taking the steps you’ve outlined.
Awesome, Nathalie!
I put your link on my to-do list when you posted it on FB (Nathalie Lussier’s group), and it took me some time, but I finally found some spare free time to do it, and it worked! Thanks a lot! You have a new follower now! Looking forward to start receiving your newsletters! 🙂
Hi Marta, congratulations on following through 🙂 I’m glad to have you here, if there is any subject you’d like me to cover, let me know!!
Thanks Nathalie,
Is there a way to perform this same security check on a Weebly website?
Peace,
Pat
Hi Pat,
Unfortunately no. Weebly hosts your website and you have no control over what time of security measure they take. That’s why I highly recommend WordPress for business as it’s critical that you keep full control of your website.