Home / Security / WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2

WPSCAN and quick wordpress security – Fixing Direcroty Listing – Part 2

WPSCAN and quick wordpress security - Fixing Direcroty Listing - Part 2 - blackMORE OpsThis is a part 2 of the guide WPSCAN and quick wordpress security. It guides reader on how to fix Directory listing in WordPress. Read part 1 here WPSCAN and quick wordpress security – Part 1

Run WPSCAN

WPSCAN shows I have Directory listing enabled.

root@kali:~# wpscan --url www.blackmoreops.com
_______________________________________________________________
        __          _______   _____                  
        \ \        / /  __ \ / ____|                 
         \ \  /\  / /| |__) | (___   ___  __ _ _ __  
          \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \ 
           \  /\  /  | |     ____) | (__| (_| | | | |
            \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team 
                        Version v2.2
     Sponsored by the RandomStorm Open Source Initiative
 @_WPScan_, @ethicalpentest3r, @erwan_lr, @gbrindisi, @_FireFart_
_______________________________________________________________

| URL: http://www.blackmoreops.com/
| Started: Sun Nov 24 14:53:26 2013

[+] robots.txt available under: 'http://www.blackmoreops.com/robots.txt'
[!] The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[+] Interesting header: SERVER: LiteSpeed
[+] Interesting header: X-POWERED-BY: PHP/5.3.25
[+] Interesting header: X-W3TC-MINIFY: On
[+] XML-RPC Interface available under: http://www.blackmoreops.com/xmlrpc.php
[+] WordPress version 3.7.1 identified from meta generator

[+] Enumerating plugins from passive detection ... 
 |  2 plugins found:

 | Name: google-analyticator
 | Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/
 | Directory listing enabled: Yes

 | Name: jetpack
 | Location: http://www.blackmoreops.com/wp-content/plugins/jetpack/
 | Directory listing enabled: Yes

[+] Finished: Sun Nov 24 14:54:50 2013
[+] Memory used: 2.742 MB
[+] Elapsed time: 00:01:23
Exiting!
root@kali:~#

So how to fix this?

Fixing Directory Listing:

Option 1:

This is the easiest method of all. Add the following line to the .htaccess file that lives at root…

Options -Indexes

This will automatically turn off indexing for ALL folders/subfolders sitewide. If you add that line to a .htaccess file in wp-contents it will disable indexing not only for that folder but for the folders below it and so forth.

Options 2:

Add the following line to the .htaccess file that lives at root…

IndexIgnore *

The * matches all files in the directory. What is the difference between the two? Method b allows you to restrict only a subset of files from being viewed. For example, let’s say for some reason you want the directory content to be viewable but block image files. You would do this…

IndexIgnore *.gif *.png *.jpg

Thats should do it.

Let’s put it to the test..

Testing:

Do another wpscan

root@kali:~#
root@kali:~# wpscan --url www.blackmoreops.com
_______________________________________________________________
__          _______   _____
\ \        / /  __ \ / ____|
\ \  /\  / /| |__) | (___   ___  __ _ _ __
\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
\  /\  /  | |     ____) | (__| (_| | | | |
\/  \/   |_|    |_____/ \___|\__,_|_| |_|

WordPress Security Scanner by the WPScan Team
Version v2.2
Sponsored by the RandomStorm Open Source Initiative
@_WPScan_, @ethicalpentest3r, @erwan_lr, @gbrindisi, @_FireFart_
_______________________________________________________________

| URL: http://www.blackmoreops.com/
| Started: Sun Nov 24 15:19:30 2013

[+] robots.txt available under: 'http://www.blackmoreops.com/robots.txt'
[!] The WordPress 'http://www.blackmoreops.com/readme.html' file exists
[+] Interesting header: SERVER: LiteSpeed
[+] Interesting header: X-POWERED-BY: PHP/5.3.25
[+] Interesting header: X-W3TC-MINIFY: On
[+] XML-RPC Interface available under: http://www.blackmoreops.com/xmlrpc.php
[+] WordPress version 3.7.1 identified from meta generator

[+] Enumerating plugins from passive detection ...
|  2 plugins found:

| Name: google-analyticator
| Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/

| Name: jetpack
| Location: http://www.blackmoreops.com/wp-content/plugins/jetpack/

[+] Finished: Sun Nov 24 15:21:18 2013
[+] Memory used: 2.734 MB
[+] Elapsed time: 00:01:47
Exiting!
root@kali:~#

Nice, worked like a charm, no more Directory listing enabled warning. Don’t forget to read part of this guide WPSCAN and quick wordpress security – Part 1.

Check Also

Correct way of installing VirtualBox Guest Additions in Kali Linux 2016.2/2017 (Kali Rolling)

How to install VirtualBox Guest Additions in Kali Linux (Kali Rolling / Kali Linux 2016.2 / Kali 2017)

Since Kali Linux 2016 came out (also known as Kali Rolling), it seems that Official …

How to add RBL check on Zimbra Server - blackMORE Ops - 2

How to add RBL on Zimbra Server?

A DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is an effort to stop …

Leave a Reply

Your email address will not be published. Required fields are marked *