WordPress Plugin Security: Prevent Directory Listing

PHP based applications can have its structures exposed to the public. WordPress is also the same. This can have potential security risks if not taken care of properly. The agreed best practice is to configure the server, where the WordPress live, to prevent its directory structures. However, for average users, this might not be feasible.

The core WordPress files include blank index.php files which can prevent directory listing for poorly configured servers. For our own created plugin, however, we need to manually add it.

First,  let's see what happens if we do not add the file and the WordPress live on a poorly configured server. Here I am using a local dev server with minimum settings.

Here we can see that if we type the directory address directly in the browser the content will be exposed to the public. This is risky as unauthorized people can try to figure exploits based on the plugin.

We can mitigate this risk by adding an index.php file to the directory which we want to secure.

The index.php file can contain simple explanations, such as these:



\* This file is intentionally left empty.


\* This file exists to stop directory listings on poorly configured servers.


Then if we try to open the folder directly again it will show nothing.

This is, of course, a sub-optimal security patching. As this is a security through obscurity. The best way of course by properly configuring the servers. However, if a proper configuration cannot be done then this file can help mitigate the risk on the plugin.


Directory Listings

Empty index.php

Why do folders have Empty index.php pages?

Should Plugin Folders Include a Blank index.php File?