WordPress Plugin Security
WordPress is on top of the list of most popular CMS, because of the powerful community around it. Most of the look and Core WordPress functions can be altered by plugins developed by the community. The plugins makes WordPress powerful and easily adaptable to a particular purpose. My concern is WordPress plugins security is not given much attention.
I checked five free WordPress plugins and found that there is no index file in the directories within the plugin. There could be a lot more like this.
Most of the web servers out there will certainly index the files within these directories and this is not good security-wise.
Recommendation To WordPress.org
- Add it to the requirement for plugin submission
- All directories within the plugin should have index.php file.
Recommendation to plugin users / developers
Once you download a WordPress plugin, extract it, check for index.php /index.html file within all the directories of the plugin.
If there is none, you can create a new index.php or download this index.php (extract after download)file below and place it inside directories that do not have index.php/ index.html file.
Download index.php file