Programmer puzzle solving

    最新消息:Welcome to the puzzle paradise for programmers! Here, a well-designed puzzle awaits you. From code logic puzzles to algorithmic challenges, each level is closely centered on the programmer's expertise and skills. Whether you're a novice programmer or an experienced tech guru, you'll find your own challenges on this site. In the process of solving puzzles, you can not only exercise your thinking skills, but also deepen your understanding and application of programming knowledge. Come to start this puzzle journey full of wisdom and challenges, with many programmers to compete with each other and show your programming wisdom! Translated with DeepL.com (free version)
    你的位置: HOME>matter>theme development - Should Plugin Folders Include a Blank index.php File?

    theme development - Should Plugin Folders Include a Blank index.php File?

    matteradmin8PV0评论

    WordPress itself, in the wp-content folder, includes an empty PHP file which looks like this.

    <?php
// Silence is golden.
?>

    Should plugins include an empty file like this as well to stop folks view viewing the contents of a directory? What about additional folders in themes -- like an includes directory?

    WordPress itself, in the wp-content folder, includes an empty PHP file which looks like this.

    <?php
// Silence is golden.
?>

    Should plugins include an empty file like this as well to stop folks view viewing the contents of a directory? What about additional folders in themes -- like an includes directory?

    • plugin-development
    • theme-development
    Share Improve this question asked Mar 13, 2012 at 1:38 chrisguitarguychrisguitarguy 21.5k5 gold badges62 silver badges99 bronze badges 1
    • 1 yes, it's probably a good idea. Never understood why WP doesn't have Options –Indexes in the bundled htaccess, so these files wouldn't be necessary... – onetrickpony Commented Mar 13, 2012 at 1:45
    Add a comment  | 

    4 Answers 4

    Reset to default 20

    No, they should not. If a plugin has vulnerabilities just because someone might see its directory structure it is broken. These bugs should be fixed.
    Security through obscurity is a bug for itself.

    It’s up to the site owner to allow or forbid directory browsing.

    A second issue is performance: WordPress scans all PHP files in a plugin’s root directory to find plugin headers. This allows you to have multiple plugins under the same directory, eg /wp-content/plugins/wpse-examples/.

    It also means that unused PHP files in that directory are wasting time and memory when WordPress is searching for plugins. One file will not do much harm, but imagine this is getting a common practice. You are creating a real problem in an attempt to fix a fictional.

    I am going to say YES. Security through obscurity works if you're more obscure then your neighbors :) (joking but there is some truth to that).

    The reality is that the bots/scanners now compile the plugin lists right off wordpress and crawl the plugin url's directly, fingerprinting versions for known exploits and keeping the info in a database for reference.

    So which one would you rather have, a bot not being able to gather info on your install, or leaving it up to the plugin author to make sure you're secure. How about both.

    ps. On a side note there were 186 reported exploits from wordpress plugins last year .(*reported..).

    Since WordPress core does this is makes sense for plugins to follow suit. While all of this can be protected with various server side settings it doesn't hurt to have a default (probably why WordPress core does it).

    As fuxia pointed out, there is a performance drawback in having an extra .php file that WordPress to scan for plugins. An index.html would probably be a better option. Of course, the best option would be to forbid directory browsing through the web server.

    And also, security through obscurity is no good.

    Articles related to this article

    Post a comment

    comment list (0)

    1. No comments so far