Home / Security / WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2

WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2

WPSCAN and quick wordpress security - Fixing Direcroty Listing - Part 2 - blackMORE OpsThis is a part 2 of the guide WPSCAN and quick wordpress security. It guides reader on how to fix Directory listing in WordPress. Read part 1 here WPSCAN and quick wordpress security – Part 1

Run WPSCAN

WPSCAN shows I have Directory listing enabled.

root@kali:~# wpscan --url www.blackmoreops.com
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                        Version v2.2
     Sponsored by the RandomStorm Open Source Initiative
 @_WPScan_, @ethicalpentest3r, @erwan_lr, @gbrindisi, @_FireFart_
_______________________________________________________________

| URL: http://www.blackmoreops.com/
| Started: Sun Nov 24 14:53:26 2013

[+] robots.txt available under: 'http://www.blackmoreops.com/robots.txt'
[!] The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[+] Interesting header: SERVER: LiteSpeed
[+] Interesting header: X-POWERED-BY: PHP/5.3.25
[+] Interesting header: X-W3TC-MINIFY: On
[+] XML-RPC Interface available under: http://www.blackmoreops.com/xmlrpc.php
[+] WordPress version 3.7.1 identified from meta generator

[+] Enumerating plugins from passive detection ... 
 |  2 plugins found:

 | Name: google-analyticator
 | Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/
 | Directory listing enabled: Yes

 | Name: jetpack
 | Location: http://www.blackmoreops.com/wp-content/plugins/jetpack/
 | Directory listing enabled: Yes

[+] Finished: Sun Nov 24 14:54:50 2013
[+] Memory used: 2.742 MB
[+] Elapsed time: 00:01:23
Exiting!
root@kali:~#

So how to fix this?

Fixing Directory Listing:

Option 1:

This is the easiest method of all. Add the following line to the .htaccess file that lives at root…

Options -Indexes

This will automatically turn off indexing for ALL folders/subfolders sitewide. If you add that line to a .htaccess file in wp-contents it will disable indexing not only for that folder but for the folders below it and so forth.

Options 2:

Add the following line to the .htaccess file that lives at root…

IndexIgnore *

The * matches all files in the directory. What is the difference between the two? Method b allows you to restrict only a subset of files from being viewed. For example, let’s say for some reason you want the directory content to be viewable but block image files. You would do this…

IndexIgnore *.gif *.png *.jpg

Thats should do it.

Let’s put it to the test..

Testing:

Do another wpscan

root@kali:~#
root@kali:~# wpscan --url www.blackmoreops.com
_______________________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version v2.2
Sponsored by the RandomStorm Open Source Initiative
@_WPScan_, @ethicalpentest3r, @erwan_lr, @gbrindisi, @_FireFart_
_______________________________________________________________

| URL: http://www.blackmoreops.com/
| Started: Sun Nov 24 15:19:30 2013

[+] robots.txt available under: 'http://www.blackmoreops.com/robots.txt'
[!] The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[+] Interesting header: SERVER: LiteSpeed
[+] Interesting header: X-POWERED-BY: PHP/5.3.25
[+] Interesting header: X-W3TC-MINIFY: On
[+] XML-RPC Interface available under: http://www.blackmoreops.com/xmlrpc.php
[+] WordPress version 3.7.1 identified from meta generator

[+] Enumerating plugins from passive detection ...
|  2 plugins found:

| Name: google-analyticator
| Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/

| Name: jetpack
| Location: http://www.blackmoreops.com/wp-content/plugins/jetpack/

[+] Finished: Sun Nov 24 15:21:18 2013
[+] Memory used: 2.734 MB
[+] Elapsed time: 00:01:47
Exiting!
root@kali:~#

Nice, worked like a charm, no more Directory listing enabled warning. Don’t forget to read part of this guide WPSCAN and quick wordpress security – Part 1.

Check Also

Correct way of installing VirtualBox Guest Additions in Kali Linux 2016.2/2017 (Kali Rolling)

How to install VirtualBox Guest Additions in Kali Linux (Kali Rolling / Kali Linux 2016.2 / Kali 2017)

Since Kali Linux 2016 came out (also known as Kali Rolling), it seems that Official …

How to add RBL check on Zimbra Server - blackMORE Ops - 2

How to add RBL on Zimbra Server?

A DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an effort to stop …

Use WordPress.com, Twitter, Facebook, or Google+ accounts to comment (anonymous comments allowed)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Privacy Policy on Cookies Usage

Some services used in this site uses cookies to tailor user experience or to show ads.