Statistics for 2023 show around 450 million sites use WordPress, with that number continuing to grow. This makes WordPress an attractive target for those wanting to collect compromised hosting accounts for serving malicious content, spamming, phishing sites, proxies and web shells.
Plugins
One of the reasons for WordPress's popularity is WordPress Plugins. Adding many functions such as shopping, forms, analytics and a vast array of others. According to the WordPress.org Plugins page there are over 60,000 free plugins.
Consider how prevalent security issues are in WordPress plugins and start to correlate that with full directory listings you can get from having directory indexing on wp-content/plugins/ it won't take long to find vulnerable installations.
Lets try some easy Google Dorks and check the results.
Google Dork 2023 results
index of "inurl:wp-content/ 36,000,000 results inurl: "/wp-content/plugins/wp-visual-slidebox-builder/ 281,000 results
The following image shows the results of a google dork: intitle:"index of" config.php
Directory Indexing
Directory indexing may not be something that rings bells but it is a very important part of securing a WordPress blog, if only to at least make it a bit harder for the bad guys.
Showing the contents of a directory allows an attacker to gather information on installed plugins, themes, assets and others.
As part of the recon process, gathering this information provides an attacker with further options to explore such as if the plugin as a vulnerability they could use to gain a foothold on a targeted site.
It is possible to go to the browser or if you prefer the command line, below is a simple cURL example. This example pipes the results to html2text which is Python script that "converts a page of HTML into clean, easy to read ASCII text".
$ curl -s -X GET http://blog.example.com/wp-content/plugins/example-plugin/ | html2text ****** Index of /wp-content/plugins/example-plugin ****** Name Last_modified Size Description =========================================================================== Parent_Directory - CHANGELOG.md 2016-11-01 10:58 4.0K assets/ 2016-11-01 10:58 - cache/ 2019-09-06 21:45 - composer.json 2016-11-01 10:58 749 config.php 2016-11-01 10:58 252 languages/ 2016-11-01 10:58 - plugins/ 2016-11-01 10:58 - src/ 2023-03-08 12:37 - updates/ 2023-03-01 12:38 - vendor/ 2016-11-01 10:58 - views/ 2023-03-02 12:38 - example-config.php 2016-11-01 10:58 1.0K example.php 2016-11-01 10:58 5.3K ===========================================================================
Disable Directory indexing for WordPress
Ensure directory indexing is disabled for your full WordPress installation either through the web server configuration or .htaccess.
A suggested way to check is try: www.yoursite.com/wp-includes in the browser. If the result is a 403 Forbidden this means directory listing is disabled.
The WordPress Security Scanner online testing tool will check if directory indexing is enabled.