78

WARNING! Your blog at RISK Again! Did you know this?

Do you think your blog is secured? Wait until you read this.

I got a mail from one of my readers pointing this issue out on my blog. As a matter of fact, as a webmaster and php developer, it took me just negligence to not have gotten these leakages handled. With just a few clicks in your cPanels, these security flaws can be dealt with in a matter of minutes.

I tested over 5 blogs I read so often and non of them was safe. This is serious! How come almost everyone does not care about this yet we talk about safety here and there.

I’m sure these flaws are responsible for the thousands of hacks we have on WordPress these days.  These leakages reveal key information about your web hosting. Hackers may now use these information to develop strategies to attack and bring down your blog.

NB: Read more on securing your blog from hackers

Vulnerability 1

Copy the link below and past in your address bar. Replace the http://yourdomainname.com  with your real domain name:

http://yourdomainname.com/wp-includes/vars.php

What if your blog is installed in a sub-domain like this below:

http://comapanyname.com/blog/

This is what you should do:

http://comapanyname.com/blog/wp-includes/vars.php

Now validate this in your address bar. If you see the following screenshot, it means your server may be revealing critical information to the bad guys and if security on that server is not strong enough, getting it might just be a matter of time.

wordpress securityYou see that the direct location of your files on the server is revealed. This makes the hacker’s job a bit lighter.

Proposed solution

My proposed solution is to ask the server to silent all errors. In other words, don’t show any errors to the screen. Let’s see how to do this in cPanel.

Log on to cPanel. Locate the “Software/Services” tab and click “php.ini Quick Config”

On the page that follows, carefully locate “display_errors” and turn it off as shown on the image below:

Click “Save Changes” button at the bottom of the page.

You may now go back to check to see if this works at http://yourdomainname.com/wp-includes/vars.php

Vulnerability 2

In this leakage, you are openly showing the listing of your files to everyone that cares to know.  Let’s see if your files are being revealed:

Paste the following link in your address bar. Of course, you have to replace the portion yourdomainname.com with your real domain name

http://yourdomainname.com/wp-includes/

If you see a listing of your files, that means you’ve got work to do

directory listing

Proposed solution

1 – > Create a blank index file (name it index.php) and upload in this folder to disable directory listing. If you go by this solution, you will have to do this for every directory you want to protect.  I propose you go by solution 2 below

2 – > Locate the “Advanced” tab in your cPanel home page and click the “Index Manager” command:

wordpress safty

NB: Your cPanel skin may be different from mine. So expect some differences in design.

On the screen that follows, select the domain or folder you you wish to protect by clicking the name (not the icon).

Finally, click the “No Indexing” option on the list as shown on the image below  and “Save” This will make sure people do not see the files in your directory and sub-directories.

no index

If you go back to your link to test this out, you are surely going to see “ERROR 403 – FORBIDDEN” This is not sexy at all. In one of my subsequent posts, I’ll show you how to build and load your own error pages. Be sure therefore to join my list so you don’t miss it

NB: In issue 1 above where you turned error displays to OFF, be sure to revert to ON if you want to debug online.

If following these steps is an issue to you, be sure to contact me so we can work a way out

Let me hear from you in the comment below if this post has helped you in any way. Do also share this on social media so others may get to know about it 😉

Please share this post on social media
Enstine Muki
 

Certified Cryptocurrency Expert, Problogger and Serial Entrepreneur

  • Mark says:

    Bravo Enstine!

    Thank goodness there are coaches and mentors out here (such as yourself!) that care enough to share this truly eye opening type of content so freely!

    And alerting the unsuspecting such as myself, why you definitely have to remain a full time student! Or else your business and livelihood could most certainly be harmed! Thank you so much for sharing this extremely valuable content! And will most certainly pass it on!

    • Hey Mark,
      We keep learning and coming across new things. That’s what it’s meant to live. The only moment to stop learning is when one gets to the grave.

      Thanks for your beautiful comment

  • tony greene says:

    I checked my own site with both vulnerabilities active and inactive. nothing seemed to happen. So, I think the htaccess and other steps I’ve taken from my host have helped me quite a bit.

    Thanks for making me aware of this.

  • 11 ways to secure a website from hackers - Blog and SEO Consultant says:

    […] to Ensine Muki for sharing this important website security tips; According to Enstine on how to secure a website, he shared two important factors that your server […]

  • Hey Enstine,

    Thanks for the fix pal. Did those 2 steps on my blog.

  • Kingsley says:

    Thanks for this great post, however I can’t find the php.ini file in my cpanel, and for the second one i am been redirected to a 404 error page

  • Steve West says:

    Wow, I’m so glad I read this, didn’t realise I was so exposed!

    Thanks for sharing Enstine, this post will no doubt be saving many bloggers a lot of hassle with hackers!

    Yep will defo be sharing this post on social media, all bloggers need to read this!

    Have a great weekend Enstine!

    • Wow steve I’m so excited and thankful to you and so many others that have helped in spreading the word. Thanks and thanks for sharing 😉

      • Steve West says:

        Well the thanks is really to you, a post like this really helps everyone out!

        You’re doing so well with your blog too, so many people commenting and interacting here… You are an inspiration Enstine!

        Best, Steve

  • Steven J Wilson says:

    Wow Enstine,

    These are new to me. I will do these myself sooner than later. It’s unfortunate that with all the software etc that we use that a simple addition to our URL can show potential weaknesses.

    I have to share this and have a post on a similar subject coming up and will have to mention this on it.

    Awesome post! Extremely helpful and clear to understand! Take care Enstine

    • Hey Steven,
      Thanks for the contribution. I’m grateful you shared this post. O yes, I’ll be very glad with your upcoming post linking to this. Of course, I’ll also be reading and sharing it. When exactly is the post coming up?

  • Enstine, thanks for posting this at a time when several wordpress blogs are been hacked daily.

    I took time to go through my sites and discovered that almost all of them were actually vulnerable in this regard. I have fixed the problems following your guide and hope I won’t be facing much security threats for now.

    Our duty is to remain alert and whenever there are new threats, we get them fixed immediately to keep our sites healthy and safe for us and our visitors.

    Thanks once again for this post. Do have a pleasant day.

  • Larry Rivera says:

    This post hits close to home. I recently had my server hacked and all my wordpress installations were compromised.

    We recently did a post showing step – by – step how we secured our wordpress installations. thanks for sharing, this post was very helpful.

  • Awesome tips, Enstine 🙂

    I can’t perform the first solution since I don’t have PHP.ini quick config option (there is a configuration page, but that’s only for reference. They are saying that only server admin can change the options).

    As for the second option, well I am working on that (I see that you latest post is about customizing the 403 page – I can do both of these right now :D).

    Thank you for these tips, Enstine! I do appreciate the help 🙂

    • Jeevan Jacob John says:

      Btw, I just turned off indexing for all of the files (public_html) instead of just a folder. Would that be a problem?

    • Hey Jeevan,

      Good to see you here today
      Maybe your account manager can help set option #1 for you.
      Let me also know how it goes with option #2 and yes, my latest post is a follow up. I promised I was going to do the tutorial.

      I’m glad this was helpful and do have a wonderful day as you spend time around

  • James says:

    Hi Enstine,

    Thanks for this info. You are a great asset to the community.

    I’m hosting with synthesis, though expensive at close to 30usd per month; but their security features are tight, I don’t have such issues.

    Do have a pleasant day.

  • Wow thanks – I had no idea about these leaks. After checking my hosting, I fixed #1 but #2 was already set to forbidden.

    Thanks for the tips!

  • Manivannan says:

    Hi Enstine,

    Thanks for the tips, It really helped me. Great Post 🙂

  • Hey enstine
    The Good news is that my blog is not showing any critical information. I checked it by following the link which you mentioned above by changing the link to my blog domain.
    Thanks for sharing this info with us. 😀

  • Dk Patel says:

    Nice post Muki and I have also applied on my website but it showing ERROR 403 – Forbidden. How to deal With it. Will it affect my site anyway ?

    • Hello, the 403 error will not affect your site. It only shows you have done the security thing correctly
      I’ll will publish a post how to deal with the 403 error this week. Be sure to join my list so you don’t miss it 😉

  • Dk Patrl says:

    Thanks for this nice post. Simce My site has been tried to hack too many times. and your article is best described but don’t know how to do it in godaddy server.

  • Tchouken says:

    nice!
    I checked it and I was surprised to have been so vulnerable and not to be aware of it. furthermore I checked it on popular blog on the web, and didn notice the vulnerability, I sometime wonder why they are leaving all these set to make web pages more vulnerable, when they can make it a bit more safe at no cost.
    thanks for the post.

  • Sunday says:

    Hi Enstine,
    Thanks for sharing these tips. I discovered that my blog is risk to vunerability 2. I have followed your guide and obtained expected results. However, one needs to take time to study these PHP indexing well so as to make increase safety measure on a post.

    I have shared the above comment in the content syndication, aggregation, and social bookmarking website – kingged.com – where this post found.

    Sunday – kingged.com contributor

    http://kingged.com/warning-your-blog-at-risk-again-did-you-know-this/

  • Enstine,
    Thanks so much. I implemented your suggestions and everything worked as you said it would. If I encounter any issues with my website, I will let you know. Thanks again for the great security tip.
    On a separate note, is there a way to lock down the wp-admin login dialog box? this would be helpful as well.
    Thanks again

  • My second attempt to comment today, Enstine. Hope this pushes through now. 🙂

    I was trying to say that if it were not for the likes of you alerting people on the possible vulnerabilities of their sites, a lot of us wouldn’t have probably known. So thanks for this wonderful post.

    Cheers,
    Maricel

    • Hey Maricel,
      Yess it went through this time! Some weird issues at times 😉

      Thanks for making an encouraging point in this comment. BTW, I have been seeing you around facebook these days
      Hope all is well

      • Hello, Enstine,

        Haven’t had the time to do FB much these days, but I visit for a few minutes or so every now and then. There aren’t any issues whatsoever, just that some things have to be done.

        By the way, I was on incognito when I first tried commenting. I realized that when you told me to clear my cache. 😉

  • Qasim says:

    Hi Enstine,

    I just check, I found my web host not allowing access to those files so they already taken care of this. Thank you so much for sharing about it and creating awareness. Appreciate it.

    • Good to know your host already takes care of these basic security issues.
      Thanks however for reading and dropping a comment

      Do have a wonderful week man and thanks for visiting

  • Vernessa Taylor says:

    Hi Enstine! There are so many things to do to keep a WordPress install safe. Happy to say on your #1, my site returns a blank page, not exposing server info. I don’t use cPanel but did this at the server level when I set up my VPS.

    On #2, for many directories I have an index.php file, but not for this particular one you pointed out. Thank you! I thought WP shipped with blank index files for the directories that needed it. Time to audit the installs and correct this. Good looking out!

    [Arrived at this post from Kingged.com, the blog sharing community.]

    • Hey Vernessa,
      Good to see you here and thanks for linking up from kingged 😉

      Good to know you are safe at point #1

      For point #2, you may not be able to have that blank index page in all the directories on your blog. Applying no indexing on the root directory will auto protect the subs. I’m sure you can figure that out 😉

      Do have a wonderful week and hope to see you again here, on kingged or on your blog for more engagement 😉

  • Adrienne says:

    These are great tips Enstine but wouldn’t it just be best to change the names of the table and then they wouldn’t be able access them at all? I know that might be a little more confusing to do but hackers will assume everything starts with wp_ which is does so just change that name and you’re good to go.

    I would love to learn how to great a nicer looking 403 error page because you’re right, that one is just ugly.

    Thanks for this great information, I learned something new today. Didn’t know you could do that.

    ~Adrienne

    • Hey Adrienne,
      I think real security has to go with securing the files and the database. I use Better WP Security which is quite strong and helps me change the table prefix and even rename some key directories

      However, we have to be careful not to let hackers know exactly where which files are found and what the root directory of out blog is. They may use this to re-orientate their attacks.

      Yes, I’m working on another post to clearly show us how to customize those errors pages. You surely will be informed as soon as that one is published

      Do have a wonderful week and thanks for making it a date with us today here at EnstineMuki.com

  • Phillip Dews says:

    That was brilliant Enstine thanks for the heads up buddy!
    although not for the feint hearted this is a quick and easy fix! Took me 2 mins so thanks dude I have closed all my open doors now!

    Keep up the great work dude!
    -Phillip

    • Hey Phillip,
      Thanks for the engagement on BlogEngage and for the comment here. It’s really encouraging to see that you are helping others grow. What a great thing to have you as a friend.

      I’m sure to come up with many more helpful tips. Be sure to be on my list so you don’t miss a thing

  • Hello Sir,

    Your post title force me to read this post.
    When I checked, I found Vulnerability 1 in my blog and now I have fixed that.

    Thank you so much for providing the solution.

  • latarani says:

    really awasome article sir, in one of my blogs one is not opened Google chrome told it has contain malware, some of the worst and well know hacker put malware in your blog so it is harm u r computer, then i shocked, in a short period Google take an even on hacking, it gives 17 crore rupees to hackers who hack Chrome OS, right now it is right article

  • Sunil Pandey says:

    Hi ,

    Thanks for the great share !. But I have hosted my site on Blogger.com. Is there any suggestion for security for blogger.com hosted site??

    Let me suggest please.

    Thanks !!!

    • Hi Sunil,

      While I have never blogged on that platform before, I think security is less of an issue there. However, it will be good thing to Google out for known security points and be sure to get them sorted out at your level

      Do have a nice week and thanks for stopping by

  • Wonderful post,

    I really don’t know about this. I think I’m gonna need to check this out for my blog. Hope to follow the instructions as mentioned.

    Thanks

  • Cararta says:

    Hi Ernstine,

    Thanks for the warning and the useful checker!

    My blog was O.K., but another site I have was not.

    The difference? On the good one I have Bullet Proof security installed…a free
    WordPress plugin that I think even works with Godaddy…and I also combine it with a paid plugin I use.

    To me Bullet Proof has a learning curve and you could end up with some great articles explaining its ins and outs! They do have a tutorial and instructions for setting up, but you must do the set up or it won’t work. They have a paid version, but I still use the free…which they support.

    If anyone wants a link to the paid plugin I use, they can contact me on Facebook at my InternetMoneyStore…will post the link there so I don’t spam anyone here! Since I also use WP Super Cache it is sometimes hard to find plugins that will live in harmony with it.
    Saved your “testers” which are very handy indeed. Thank you for the share.
    C.

    • Hi Cararta,
      I’m excited to have you around today and thanks for the contribution
      While people can contact you on Facebook, kindly post the url here for the help of my readers too. Please paste your affiliate link if any

  • Hi Einstine,

    Before your knowledge provider post I was unaware of this vunerabilities. I awe the solution of this vulnerable attacks of the sites. Soon try to rectify.

    Thanks for your valuable sharing.

  • Aahna says:

    Hi Enstine,

    I’m sure not many bloggers would be aware of these security issues, I have few WordPress blogs and certainly going to look out these issues there and will correct them quickly. Thanks a lot for revealing these security holes.

  • Hello Enstine,

    Thanks a million for these two tips. While I have secured my site via other several means, I feel that there is nothing like ‘too much security’. I shall implement the changes and get back to leave a feedback.

    Always,
    Terungwa

  • David says:

    Hi Enstine Muki,
    I would like to thank you for sharing this information. I am a new blogger and I have hear this kind of news, so I was pretty much worried about my blogs. This information helps me.

  • Erik Emanuelli says:

    Hi Enstine,
    really really useful!
    Thank you so much!

    I had both security issues on my sites, so I have followed your instructions and it worked.
    Now I guess I made one step forward to better secure my blogs.

    I have subscribed to not miss next posts! 😉
    Also, shared on Twitter.

    Thanks for the tips, Enstine.
    Have a fantastic week. 🙂

  • Hi Enstine,
    Very informative post on WordPress security!
    many people think having strong password is enough to secure their blog, but not!
    I checked for both Vulnerabilities; luckily it’s protected!
    I think Bulletproof Security plugin is best to protect our blog from these types of Vulnerabilities!
    Thanks for sharing!

  • I am glad to find out i have secured my blog from these vulnerabilities even before i read this article. There are so many ways a blog can be vulnerable to hackers and the one that seems most dangerous is directory browsing because an outsider can take advantage of this to hacking your site. I actually protected directory browsing from my .htaccess file placed on every directory level.

  • metz says:

    The other day, I have read on one blog that your blog will be at risk if you are sharing a post created by others without asking their permission. They have the power to report you to Google and pretty sure no one wants to be in that situation.

    Anyway, nice post Enstine!

    I found this post shared on Kingged.com, the Internet marketing social networking site, and I “kingged” it and left this comment.

  • suklambar says:

    Hi Enstine, thanks for giving knowledge of these security . i can make by blog more safer using that. keep sharing . . .

  • Naveen says:

    Most of us don’t care about the back end of the blogging, you’ve explain the vulnerabilities and how to solve it by step-by-step post. Thanks, will check and rectify it.

  • Hi Enstine,

    Thanks so much for the heads up and for providing the solutions that made my blog more safer! I’d have never known this if you hadn’t had this post.

    I had both the vulnerabilities that you mentioned, and I followed the steps that you suggested. It was easy and I guess my blog is more secure now. These might appear to be little or insignificant problems, but I understand that those who’re bent on evil doing can leverage such information and create ruckus.

    However, I do have a question about the “no indexing” option for the vulnerability 2. I had read somewhere that you can put a code in the .htaccess file that can automatically create a blank index file for all the directories or folders. I have this code and I wonder why the files still showed when I tested for the vulnerability 2?

    Thanks so much for this crucial information and I’m sure almost everybody needs to work on it.

    Do have a great week ahead! 🙂

    • Hi Harleena,

      I’m glad this short tut was helpful 😉

      As matter if fact, I have read that adding the line “Options -Indexes” without quotes, to your .htaccess file should do the job. That’s exactly what I find on mine after going the cPanel way. I’m sure the cPanel procedure is to modify the .htaccess file.

      Why you didn’t get it to work initially is what I don’t know – Maybe you got a different piece of code we may want to see here.

      However, I can see that you got it working. Watch out for my next post on how to deal with the ERROR 403 – FORBIDDEN and other error codes.

      Do have a wonderful week ahead

  • Hi Enstine,
    Wonderful Post. But I try the first option.
    I also unchecked that display_errors – to “off” but it still showing. I also click ‘Save Changes” I don’t know what to do now. Can you say another option for this
    http://yourdomainname.com/wp-includes/vars.php

  • Chitraparna Sinha says:

    Hi Enstine,

    Thanks for this post. I didn’t know about these vulnerabilities. I checked few of my blogs and some did have this error, especially the second one, and I made the changes to secure it.

    For some, I am using GoDaddy hosting and I am not able to locate the php.ini file. I searched online and it said GoDaddy doesn’t allow access. I don’t know for sure. Do you have any idea?

  • >