blackMORE Ops Learn one trick a day ….
This is a part 2 of the guide WPSCAN and quick wordpress security. It guides reader on how to fix Directory listing in WordPress. Read part 1 here WPSCAN and quick wordpress security – Part 1
Run WPSCAN
WPSCAN shows I have Directory listing enabled.
root@kali:~# wpscan --url www.blackmoreops.com _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version v2.2 Sponsored by the RandomStorm Open Source Initiative @_WPScan_, @ethicalpentest3r, @erwan_lr, @gbrindisi, @_FireFart_ _______________________________________________________________ | URL: http://www.blackmoreops.com/ | Started: Sun Nov 24 14:53:26 2013 [+] robots.txt available under: 'http://www.blackmoreops.com/robots.txt' [!] The WordPress 'http://www.blackmoreops.com/readme.html' file exists [+] Interesting header: SERVER: LiteSpeed [+] Interesting header: X-POWERED-BY: PHP/5.3.25 [+] Interesting header: X-W3TC-MINIFY: On [+] XML-RPC Interface available under: http://www.blackmoreops.com/xmlrpc.php [+] WordPress version 3.7.1 identified from meta generator [+] Enumerating plugins from passive detection ... | 2 plugins found: | Name: google-analyticator | Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/ | Directory listing enabled: Yes | Name: jetpack | Location: http://www.blackmoreops.com/wp-content/plugins/jetpack/ | Directory listing enabled: Yes [+] Finished: Sun Nov 24 14:54:50 2013 [+] Memory used: 2.742 MB [+] Elapsed time: 00:01:23 Exiting! root@kali:~#
So how to fix this?
Fixing Directory Listing:
Option 1:
This is the easiest method of all. Add the following line to the .htaccess file that lives at root…
Options -Indexes
This will automatically turn off indexing for ALL folders/subfolders sitewide. If you add that line to a .htaccess file in wp-contents it will disable indexing not only for that folder but for the folders below it and so forth.
Options 2:
Add the following line to the .htaccess file that lives at root…
IndexIgnore *
The * matches all files in the directory. What is the difference between the two? Method b allows you to restrict only a subset of files from being viewed. For example, let’s say for some reason you want the directory content to be viewable but block image files. You would do this…
IndexIgnore *.gif *.png *.jpg
Thats should do it.
Let’s put it to the test..
Testing:
Do another wpscan
root@kali:~# root@kali:~# wpscan --url www.blackmoreops.com _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version v2.2 Sponsored by the RandomStorm Open Source Initiative @_WPScan_, @ethicalpentest3r, @erwan_lr, @gbrindisi, @_FireFart_ _______________________________________________________________ | URL: http://www.blackmoreops.com/ | Started: Sun Nov 24 15:19:30 2013 [+] robots.txt available under: 'http://www.blackmoreops.com/robots.txt' [!] The WordPress 'http://www.blackmoreops.com/readme.html' file exists [+] Interesting header: SERVER: LiteSpeed [+] Interesting header: X-POWERED-BY: PHP/5.3.25 [+] Interesting header: X-W3TC-MINIFY: On [+] XML-RPC Interface available under: http://www.blackmoreops.com/xmlrpc.php [+] WordPress version 3.7.1 identified from meta generator [+] Enumerating plugins from passive detection ... | 2 plugins found: | Name: google-analyticator | Location: http://www.blackmoreops.com/wp-content/plugins/google-analyticator/ | Name: jetpack | Location: http://www.blackmoreops.com/wp-content/plugins/jetpack/ [+] Finished: Sun Nov 24 15:21:18 2013 [+] Memory used: 2.734 MB [+] Elapsed time: 00:01:47 Exiting! root@kali:~#
Nice, worked like a charm, no more Directory listing enabled warning. Don’t forget to read part of this guide WPSCAN and quick wordpress security – Part 1.
