The Hole In Your WordPress Site

Posted on June 17th, 2014 by Jean

If you have a self-hosted wordpress website, chances are that you have a hole in your site. A hole that allows others unrestricted access to your jpg, pdf and movie files.

To find out, type in your wordpress site followed by /wp-content/uploads

Do you see what I see?

wordpress files exposed

Those are your uploads divided by year. Inside of each year, your uploads are divided by month. And I, or anyone, have access.

I stumbled upon this by accident, accessing the motherload of a file of which I cannot divulge. When I looked at my browser bar, I saw the website’s address followed by /wp-content/uploads

When the realization hit me that MY wordpress files were ALSO vulnerable, I dove into action, finding a way to block access yet still allowing my site to function. What we are striving to do here is have a 403 page pop up telling the web server that access is forbidden.

I found the solution to be very simple. We need to type options -indexes to the bottom of our .htaccess file. Your .htaccess file is in the root directory of your website. You will need to access your ftp files through your website host.

Step 1: Log into your cpanel at your hosting site. It can be https: followed by your site name and then /cpanel

cpanel log in

STEPS 1, 2 AND 3

Step 2: Choose “File Manager”

Step 3: Choose “Home Directory” and check “Show Hidden Files”

Step 4: From your Home Directory, type .htaccess in your search toolbar

edit your htacess file

STEPS 4, 5 AND 6

Step 5: When .htaccess file appears in search results, double click to choose it.

Step 6: Select .htaccess from the list that appears. (For some reason I can never see the .htaccess file prior to searching for it.)

Edit your htaccess file in cpanel



STEP 7: With your .htaccess file selected, choose “Code Editor” from your toolbar menu.

STEP 8: Leave the default settings on the pane which opens, and select “Edit”.

STEP 9: Add Options -Indexes to the last line, and SAVE FILE.

You are done. Go ahead, try to access your site/wp-content/uploads. Do you see a big red 403 message? I do!

403 Forbidden

If you have ANY trouble with this, let me know. I’d be more than happy to help.

Jean photo B16123E10292F5D0137E3C112C0110E4_zpsa65858d2.png

14 Responses to "The Hole In Your WordPress Site"

  1. wow….a bit over my head but thanks for sharing this. I’m not self-hosted but will check it out on my blog anyway.
    Ingrid recently posted..Pure Colorado


    Jean Reply:

    Thanks, Ingrid! I’m sure your files are safely guarded. 🙂


  2. Wow! I had no idea. Thanks for the info Jean, and the detailed instructions on how to restrict access. You’re so smart!
    Sherri @ The Kitchen Prescription recently posted..Healthy Mixed Berry Yogurt Pops


    Jean Reply:

    You’re welcome! Let me know if you need help. (I think your files are showing.)


  3. WordPress has its issues!
    Bijoux recently posted..Gossiping About the Old Folks


    Jean Reply:

    It does, Bijoux. How go the wedding plans? I need to stop by!


  4. Jeepers! Lucky, you are a smartie! I’m not self-hosted so hopefully I am okay? 😕
    Angelia Sims recently posted..Father’s Day 2014


    Jean Reply:

    You’re fine, Angelia! Thanks! I found other directions online, but they seemed more complicated. I hope I this remedy justice.


  5. you’ve definitely helped someone out today! recently posted..How To: Easiest Fishtail Braid Tutorial (Video)


    Jean Reply:

    Thanks, Elle!
    Oh, I’ve got to swing by and get some advice. My SIL gave me a gift card to Sephora, and I’ve no idea what to buy.


  6. I just checked and it looks like mine is already protected (on my photography website). Thanks for the heads up!


    Jean Reply:

    Thank goodness! You lucked out, Rach. 🙂


  7. What?! This is crazy (and also scary). Thanks so much for pointing this out–I don’t want holes on my site!!
    Charlotte recently posted..The start of a great summer


    Jean Reply:

    I was almost reluctant to point it out thinking maybe I was teaching someone to break into a site, but we site owners need to know how to protect ourselves. Thanks, Charlotte!


Leave a Reply

Comment moderation is in place. Your comment will appear shortly.

CommentLuv badge