If you have a self-hosted wordpress website, chances are that you have a hole in your site. A hole that allows others unrestricted access to your jpg, pdf and movie files.
To find out, type in your wordpress site followed by /wp-content/uploads
Do you see what I see?
Those are your uploads divided by year. Inside of each year, your uploads are divided by month. And I, or anyone, have access.
I stumbled upon this by accident, accessing the motherload of a file of which I cannot divulge. When I looked at my browser bar, I saw the website’s address followed by /wp-content/uploads
When the realization hit me that MY wordpress files were ALSO vulnerable, I dove into action, finding a way to block access yet still allowing my site to function. What we are striving to do here is have a 403 page pop up telling the web server that access is forbidden.
I found the solution to be very simple. We need to type options -indexes to the bottom of our .htaccess file. Your .htaccess file is in the root directory of your website. You will need to access your ftp files through your website host.
Step 1: Log into your cpanel at your hosting site. It can be https: followed by your site name and then /cpanel
STEPS 1, 2 AND 3
Step 2: Choose “File Manager”
Step 3: Choose “Home Directory” and check “Show Hidden Files”
Step 4: From your Home Directory, type .htaccess in your search toolbar
STEPS 4, 5 AND 6
Step 5: When .htaccess file appears in search results, double click to choose it.
Step 6: Select .htaccess from the list that appears. (For some reason I can never see the .htaccess file prior to searching for it.)
FINAL STEPS – 7, 8 AND 9
STEP 7: With your .htaccess file selected, choose “Code Editor” from your toolbar menu.
STEP 8: Leave the default settings on the pane which opens, and select “Edit”.
STEP 9: Add Options -Indexes to the last line, and SAVE FILE.
You are done. Go ahead, try to access your site/wp-content/uploads. Do you see a big red 403 message? I do!
If you have ANY trouble with this, let me know. I’d be more than happy to help.
Comment By: Ingrid
June 17th, 2014 at 8:06 pm
wow….a bit over my head but thanks for sharing this. I’m not self-hosted but will check it out on my blog anyway.
Comment By: Jean
June 19th, 2014 at 8:45 pm
Thanks, Ingrid! I’m sure your files are safely guarded. 🙂
Comment By: Sherri @ The Kitchen Prescription
June 18th, 2014 at 3:26 am
Wow! I had no idea. Thanks for the info Jean, and the detailed instructions on how to restrict access. You’re so smart!
Comment By: Jean
June 19th, 2014 at 8:45 pm
You’re welcome! Let me know if you need help. (I think your files are showing.)
Comment By: Bijoux
June 18th, 2014 at 4:43 am
WordPress has its issues!
Comment By: Jean
June 19th, 2014 at 8:44 pm
It does, Bijoux. How go the wedding plans? I need to stop by!
Comment By: Angelia Sims
June 19th, 2014 at 10:18 am
Jeepers! Lucky, you are a smartie! I’m not self-hosted so hopefully I am okay? 😕
Comment By: Jean
June 19th, 2014 at 8:44 pm
You’re fine, Angelia! Thanks! I found other directions online, but they seemed more complicated. I hope I this remedy justice.
Comment By: Ellesees.blogspot.com
June 23rd, 2014 at 4:00 am
you’ve definitely helped someone out today!
Comment By: Jean
June 27th, 2014 at 9:18 pm
Thanks, Elle!
Oh, I’ve got to swing by and get some advice. My SIL gave me a gift card to Sephora, and I’ve no idea what to buy.
Comment By: Rach @ This Italian Family
June 23rd, 2014 at 5:50 am
I just checked and it looks like mine is already protected (on my photography website). Thanks for the heads up!
Comment By: Jean
June 27th, 2014 at 9:19 pm
Thank goodness! You lucked out, Rach. 🙂
Comment By: Charlotte
June 25th, 2014 at 12:09 pm
What?! This is crazy (and also scary). Thanks so much for pointing this out–I don’t want holes on my site!!
Comment By: Jean
June 27th, 2014 at 9:19 pm
I was almost reluctant to point it out thinking maybe I was teaching someone to break into a site, but we site owners need to know how to protect ourselves. Thanks, Charlotte!