WordPress itself, in the wp-content
folder, includes an empty PHP file which looks like this.
<?php
// Silence is golden.
?>
Should plugins include an empty file like this as well to stop folks view viewing the contents of a directory? What about additional folders in themes — like an includes
directory?
No, they should not. If a plugin has vulnerabilities just because someone might see its directory structure it is broken. These bugs should be fixed.
Security through obscurity is a bug for itself.
Itâs up to the site owner to allow or forbid directory browsing.
A second issue is performance: WordPress scans all PHP files in a pluginâs root directory to find plugin headers. This allows you to have multiple plugins under the same directory, eg
/wp-content/plugins/wpse-examples/
.It also means that unused PHP files in that directory are wasting time and memory when WordPress is searching for plugins. One file will not do much harm, but imagine this is getting a common practice. You are creating a real problem in an attempt to fix a fictional.
I am going to say YES. Security through obscurity works if you’re more obscure then your neighbors 🙂 (joking but there is some truth to that).
The reality is that the bots/scanners now compile the plugin lists right off wordpress.org and crawl the plugin url’s directly, fingerprinting versions for known exploits and keeping the info in a database for reference.
So which one would you rather have, a bot not being able to gather info on your install, or leaving it up to the plugin author to make sure you’re secure. How about both.
ps. On a side note there were 186 reported exploits from wordpress.org plugins last year .(*reported..).
Since WordPress core does this is makes sense for plugins to follow suit. While all of this can be protected with various server side settings it doesn’t hurt to have a default (probably why WordPress core does it).
As fuxia pointed out, there is a performance drawback in having an extra
.php
file that WordPress to scan for plugins. Anindex.html
would probably be a better option. Of course, the best option would be to forbid directory browsing through the web server.And also, security through obscurity is no good.