If you have a self-hosted wordpress website, chances are that you have a hole in your site. A hole that allows others unrestricted access to your jpg, pdf and movie files.
To find out, type in your wordpress site followed by /wp-content/uploads
Do you see what I see?
Those are your uploads divided by year. Inside of each year, your uploads are divided by month. And I, or anyone, have access.
I stumbled upon this by accident, accessing the motherload of a file of which I cannot divulge. When I looked at my browser bar, I saw the website’s address followed by /wp-content/uploads
When the realization hit me that MY wordpress files were ALSO vulnerable, I dove into action, finding a way to block access yet still allowing my site to function. What we are striving to do here is have a 403 page pop up telling the web server that access is forbidden.
I found the solution to be very simple. We need to type options -indexes to the bottom of our .htaccess file. Your .htaccess file is in the root directory of your website. You will need to access your ftp files through your website host.
Step 1: Log into your cpanel at your hosting site. It can be https: followed by your site name and then /cpanel
Step 2: Choose “File Manager”
Step 3: Choose “Home Directory” and check “Show Hidden Files”
Step 4: From your Home Directory, type .htaccess in your search toolbar
Step 5: When .htaccess file appears in search results, double click to choose it.
Step 6: Select .htaccess from the list that appears. (For some reason I can never see the .htaccess file prior to searching for it.)
STEP 7: With your .htaccess file selected, choose “Code Editor” from your toolbar menu.
STEP 8: Leave the default settings on the pane which opens, and select “Edit”.
STEP 9: Add Options -Indexes to the last line, and SAVE FILE.
You are done. Go ahead, try to access your site/wp-content/uploads. Do you see a big red 403 message? I do!
If you have ANY trouble with this, let me know. I’d be more than happy to help.