I have been working on a blog post for
over a week now a while regarding WordPress security and as I was going through my notes I had an idea : so I picked 5 websites randomly from people that belong to a facebook group where I hang out regularly to check if their uploaded content was protected. The result blew my mind: 4 out of 5 websites were not protected!
(If you are part of our maintenance program, no worries you are protected already 🙂 )
If you have a WordPress site you absolutely need to read this: I am going to share with you how to check if your content is accessible by anyone, and I’ll show a quick fix to prevent your folders from being browsed, and that something you can do yourself, right now. (and no, creating a index.html file is not enough).
1) Find out if your content is exposed:
To find out if your content is not secure, in your browser go to the following url :
just replace [yourwebsiteurl] with your domain name like wphelpclub.com for me.
if you see a list that looks like the picture below with jpg and pdfs, folders like 2011, 2012, 2013 (this is where all your images and pdfs you uploaded are stored), that means that everything that you uploaded to your server can be downloaded by anyone: your online courses pdfs, downloadable sheets, images, even your backups!! All they have to do is right click and save the files to their computer!!
2) If you’re vulnerable, do not panic, it’s been there for months if not years, it does not have to be fixed this second, so.. deep breath.. let’s do something right now to block access to this folder and all the files and folders below it!
1) You will need to login to your Control panel on your hosting account (also called cpanel, make sure you can view hidden files because we are going to edit a hidden file that starts with a . )
2) look for the file .htaccess in the folder where WordPress is installed, for me it’s public_html
3) edit the file (select it then click on edit)
add the following line to the file:
Save the file and that’s it!! Give it a try!