Notifications
Clear all

wpForo 1.x.x [Solved] Directory visible

9 Posts
4 Users
1 Likes
1,320 Views
tomiradi
Posts: 8
Topic starter
(@tomiradi)
Active Member
Joined: 5 years ago

Why is this directory publicly visible?

https://tomiradi.com/wp-content/plugins/wpforo/wpf-assets/

8 Replies
Anonymous20
Posts: 1602
(@anonymous20)
Noble Member
Joined: 7 years ago

Because your hosting company (or anyone else who did the server setup) didn't set this correctly.

Edit your .htaccess and add line:

Options -Indexes

This has nothing to do with wpForo or even Wordpress.

CrisW
Posts: 281
(@crisw)
Reputable Member
Joined: 4 years ago
Posted by: @tomiradi

Why is this directory publicly visible?

https://tomiradi.com/wp-content/plugins/wpforo/wpf-assets/

 

Hi @tomiradi

Alternatively, you can also add a simple index page (filename should be saved as "index.html" in the folder:

wp-content/plugins/wpforo/wpf-assets/

Here's how to create a simple index page.

1) Open Notepad. (assuming you are using Windows and not a Mac)

2) Copy paste the code below: Change the "https://www.YOUR_WEBSITE.com" to your website / domain name. 🙂

<!DOCTYPE html>
<html>
<html lang="en-US">

<head>

<title>
This area of our website is private. :-)
</title>

<meta name="viewport" content="width=device-width, initial-scale=1">

<meta charset="UTF-8">
</head>

<body>
<center>


<h2>Oops! This area of our website is private. :-)</h2>

<p>Please go to <a href="https://www.YOUR_WEBSITE.com/"> https://www.YOUR_WEBSITE.com/</a> to browse our public posts.
</p>

<p>Thank you!</p>
</center>
</body>


</html>

3) On the "Filename" field, type "index.html"
On the "Save as type" dropdown, select "All files"
On the encoding dropdown, select "UTF-8"
Then click the "Save" button.
.

4) FTP this new simple "index.html" file to the folder on your website.

wp-content/plugins/wpforo/wpf-assets/

Hope this helps! Good luck and God bless you! 🙂

 

 

Anonymous20
Posts: 1602
(@anonymous20)
Noble Member
Joined: 7 years ago
CrisW
Posts: 281
(@crisw)
Reputable Member
Joined: 4 years ago
Posted by: @anonymous20

@crisw

Your above suggestion is really bad and dangerous.

https://www.netsparker.com/blog/web-security/disable-directory-listing-web-servers/

Hi @anonymous20 

Thanks for the link. No thanks for your comment.

Much as I don't want to put a pin into that little bubble of "bad and dangerous" snark, the article's author in the link you shared and copied here, only confirms that MY suggestion that I typed FOR @tomiradi above, is actually ONE of the security SOLUTIONS, which is to CREATE an INDEX file.

To quote the same article: 

"As a security best practice it is recommended to disable directory listing. You can disable directory listing by creating an empty index file (index.php, index.html or any other extension your web server is configured to parse) in the relevant directory. Though in many cases this is not the best solution because such files are typically forgotten for example when migrating the web application from development to production environments, or when new directories are added." -

Source:  https://www.netsparker.com/blog/web-security/disable-directory-listing-web-servers/

I made the above suggestion because that's what I know about how to quickly disable a directory listing.  Not all of us have access or permissions to tweak webserver level settings, and not all of us have the technical wherewithal to instantaneously write up code or program or webpage, with the intent to fix an issue. Or where to insert exactly what code. Some complicated suggestions are not even relatable to most people, like me. 🙂

I don't agree with you that MY actionable step by step suggestion is "bad and dangerous".  According to who?  The actual danger is if we do NOTHING. (Or if we snark at someone who actually took the time to type and suggest SOMETHING).

You and I can agree to disagree. If you have a better and original suggestion with your infinite technical wisdom, feel free to actually type up the steps.  I am open to your much better suggestion if you would care enough to share.  🙂 Your above "one liner" is a tad bit offensive.  (In case you didn't put yourself in my shoes, or in the shoes of any newbie).  This is my last response to you on this thread.  Your written sarcasm towards me (and to other newbies, as I've noticed) is indeed getting old.     

 

Page 1 / 2