See What Files Are Listed in /wp-content/uploads/ Directory

WordPress is undoubtedly i of the highly recommended content direction systems. 75 million websites including businesses, blogs, professionals, and entertainment are currently built on WordPress. This also classifies it equally one of the most vulnerable when it comes to online attacks. While most online attacks effect from unpatched versions and vulnerable plugins, some other major source of WordPress data theft is admission to disclosure of essential WordPress elements. Take, for instance, Directory Browsing.

Information technology often happens that when your spider web server is unable to find an alphabetize file (i.due east. a file like alphabetize.php or alphabetize.html), by default it displays an index page revealing contents of the directory.

Directory Browsing in WordPress

You lot can easily fix directory browsing with a click of a button with the WP-Hardening plugin. WP-Hardening is a 1-end solution to fix most of your WordPress security woes.

Here is how it works:

• Install the WP Hardening Plugin and actuate it. It will render in the bottom left corner of your admin panel.

WP Harden

• Get to the "Security Fixers" tab.
• Navigate to 'Server Hardening' and just toggle the primal side by side to 'Hide Directory Listing of WP includes.'

Hiding WP-includes with WP-Hardening plugin

• And you lot're done!

Rendering such information public could make your site vulnerable to hackers. As it reveals the of import information needed to exploit a potential vulnerability in the WordPress theme, plugin, or the server to the hackers.

Why hide WordPress folders from the public?

Attributable to an increased number of WordPress CMS attacks, it is essential to Disable Directory Browsing. Hackers can exploit directory browsing to reveal files with known vulnerabilities, and in turn exploit it to proceeds unauthorized access. Moreover, directory browsing tin can be used by outsiders to mimic the contents of your file, discover your directory construction, and other information. Which is why it is imperative to restrict directory indexing and browsing.

Related Guide – WordPress Malware Removal

This tin be done past modifying your .htaccess file. The .htaccess file is a server configuration file that essentially allows the user to define rules for his server to follow for his website. The .htaccess file is located in your WordPress site'southward root folder. To edit it, you'll demand to connect to your website using an FTP client. Information technology is important to note that before outset to edit your .htaccess file, information technology is important to download a copy of information technology to your computer as a backup to be used in case anything goes wrong.

How to hide WP folders from public access?

Add the following line of code to the .htaccess file in your website root:

          Options -Indexes        

This volition prevent directory listing across the website.

How to hide the WordPress login URL?

WordPress login URL can be hidden via multiple methods:

• With WP-Hardening: The WP Hardening plugin enables you to specify a custom URL for your WordPress login. The new URL can be specified under the 'Security Fixers' department in the WordPress Settings. In instance a caching plugin is used on the website, the new login page should be added to the list of pages that are excluded from caching.

• By whitelisting IP addresses: In this method, only the whitelisted IP addresses tin admission the wp-login folio and every other IP volition exist shown an error message. This method is recommended if you have a static IP and non many people requiring admission to your WordPress admin panel. All you lot need to do is add the post-obit lawmaking in your .htaccess file and supplant the "!^123\.123\.123\.123$".

          <IfModule mod_rewrite.c>  RewriteEngine on  RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]  RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$  RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$  RewriteRule ^(.*)$ - [R=403,Fifty]  </IfModule>        

In case multiple IP addresses need to be added, just add a new line for each, equally shown below:

          RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ RewriteCond %{REMOTE_ADDR} !^223\.223\.223\.223$        

Your login page volition now only be visible to these IP addressess.

Protecting your WP admin page

How to hide WP-content/uploads from Your WordPress?

The wp-content folder appears in the main directory of any WordPress site. Information technology is an of import part of every WordPress installation and It contains plugins, themes, uploads, and debug.logs that are provided by the user and non stored on the database.

One can easily hide a certain folder from being accessible to the public past modifying the .htaccess file a little bit. To hide the "Uploads" binder from the public:

1. Open your FTP client
2. Navigate to wp-content/uploads
3. Create a new file and proper name it ".htaccess" and open it
4. Copy and paste the post-obit code into the file:
   Society Allow, Deny
   Deny from all
   Allow from all
5. Save changes.
6. To verify the changes, navigate tohttp://yourdomain.com/wp-content/uploads/ where you should now get a 404 error or a bare page which doesn't testify the content of your upload binder.

Disabling Directory Listing in WordPress

How to hide WP-includes from Your WordPress

It is of import to restrict access to the WP-includes folder as it contains files strictly meant to run the core version of WordPress. This is the i without any plugins or themes and houses the default theme in thewp-content/theme directory. Admission to the includes folder can be disabled using the following code snippet in the .htaccess file :

          # Block wp-includes folder and files <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [South=iii] RewriteRule ^wp-includes/.*\.php$ - [F,50] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>        

How to hide WP-admin aka WP-login

We all know that the default URL for visiting the login folio of whatever WordPress site issite-name/wp-admin.Still, exposing your default admin login page can invite hackers to inspect information technology, and even figure out your credentials. Therefore, it is essential to hide your wp-admin and wp-login pageto not only arrive more circuitous for hackers to crack but also to get extra protection from the non-hacker communities.

Related Guide – Consummate Guide to WordPress Security (Reduce the chance of Hacking by ninety%)

1. Login to your server dashboard. Go to your public_html folder in Cpanel & open your .htaccess file in the code editor. If information technology is non visible to yous, enable the option "Show subconscious files" under visibility and then edit information technology.
2. Add the post-obit lawmaking at the outset of your .htaccess file. It might be containing some codes, but you have to paste this at the first of every code.

                                 AuthUserFile                /dev/null                AuthGroupFile                /dev/cipher                AuthName                "WordPress Admin Access Control"                AuthType Basic                <LIMIT GET>                order deny,allow                deny from all                # whitelist <span fashion="colour: #00ff00;">Prakhar IP</span> accost                allow from                <span fashion="color: #00ff00;">20.twenty.twenty.xxx</span>                # whitelist <span manner="colour: #00ff00;">Satyansh IP</span> address                permit from                <span manner="color: #00ff00;">20.xx.xx.thirty</bridge>                </LIMIT>                          

3. Supervene upon the green texts with the proper noun and IP address of the devices (computers, laptops, smartphones) of yours. The number of users can be increased by repeating the same code i.e. #whitelist username address.

The above-listed WordPress hacks are some of the many htaccess hacks that strengthen your WordPress site.

Get the ultimate WordPress security checklist with 300+ examination parameters

For the comprehensive security of WordPress sites, it is brash to use Astra for WordPress Security Astra seamlessly integrates with WordPress websites and simplifies regular security checks via a simple dashboard feature.

Tags: disable directory listing, WP-content/uploads, WP-includes, WP-login

Naman Rastogi

Naman Rastogi is a Growth hacker and digital marketer at Astra security. Working actively in cybersecurity for more than a year, Naman shares the passion for spreading awareness near cybersecurity amongst netizens. He is a regular reader of annihilation cybersecurity which he channelizes through the Astra web log. Naman is as well a jack of all trade. He is certified in market analytics, content strategy, financial markets and more while working parallelly towards his passion i.e cybersecurity. When not hustling to discover newer ways to spread awareness about cybersecurity, he tin exist found enjoying a game of ping pong or CSGO.

norrisbusiouty1960.blogspot.com

Source: https://www.getastra.com/blog/cms/wordpress-security/hide-wp-includes-wp-content-uploads-from-your-wordpress-site/

Share this post