[Silence is Gold] Rule in Webserver Directories

The web server will have some default filenames (in order by priority) such as index.php, index.html etc if you type in URL of a web folder instead of a specific file. However, if there are no such default files, then possibly, it will list the filenames (with links) in the current directory in the browser or, a better and more secure setting would be to disable this and show 403 permissions forbidden error.

With wordpress folders, especially the plugin folders where the URLs are not supposed to be visited directly in the browser, then you will find lots of index.php containing something like this:

1

<?php //You don't belong here. ?>

<?php //You don't belong here. ?>

Or in other similar format:

1
2
3

<?php
// Silence is golden.
?>

<?php
// Silence is golden.
?>

Of course, there are many other possible contents which all silently disable the folder-browsing. If the files are listed, then possibly, some files containing sensitive information will be exposed.

A better way, in my opinion, is to have a index.php that has the following:

1
2
3
4
5

<?php
  header($_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found');
  exit("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<html><head>>\r\n<title>404 Not Found</title>\r\n</head><body>\r\n
<h1>Not Found</h1>\r\n<p>The requested URL " . $_SERVER['SCRIPT_NAME'] . " was not found on this server.</p>\r\n&lgt;/body></html>");
?>

<?php
  header($_SERVER['SERVER_PROTOCOL'] . ' 404 Not Found');
  exit("<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\r\n<html><head>>\r\n<title>404 Not Found</title>\r\n</head><body>\r\n
<h1>Not Found</h1>\r\n<p>The requested URL " . $_SERVER['SCRIPT_NAME'] . " was not found on this server.</p>\r\n&lgt;/body></html>");
?>

This way, it will show a 404 not found error, which looks like a real one, misleading the potential hackers.

In some included-files, which are not supposed to be accessed directly, you can find some checks at the beginning:

1
2
3
4
5
6

if (!defined('IN_PHPBB'))
    exit;
 
// don't load directly
if ( !defined('ABSPATH') )
    die('-1');

if (!defined('IN_PHPBB'))
	exit;

// don't load directly
if ( !defined('ABSPATH') )
	die('-1');

That way, avoids possible leakage of sensitive information if there are script errors displaying in the browser. For folders that are not supposed to be exposed completely, you can add the following lines into the file .htaccess

order allow,deny 
deny from all 

This way, no files will be accessed in public URL. For example, the log and backup folders for Plugin itheme security is set to this.

–EOF (The Ultimate Computing & Technology Blog) —