WordPress is a great blogging platform and its ease of use means its use has become very widely used by both blogging pros and amateurs alike.   If you are using WordPress.com as your blogging platform this post does not apply to you, but if you have your own self-hosted installation of WordPress you may want to read onward in order to see how your blog may be showing its backside like a patient in a cheap hospital gown.

The many fine folks who contribute to the official releases of WordPress do a phenonmenal job of addressing security concerns as quickly as they pop up for the most part, and the stuff I am talking about here is not a security problem in terms of WordPress itself.

When you install WordPress for yourself the first step is unzipping the WordPress software and putting it in place on a webserver.  One of the folders you have uploaded is called wp-content.  This folder is home to your plugins, themes, and uploaded images by default.  WordPress includes a nice PHP page containing this:

<?php
// Silence is golden.
?>

What this does is present a simple blank page if someone browses to http://www.yourblog.com/wp-content and that is nice,  but we can do better.   The problem with this solution is that as you create folders under wp-content those folders are not protected in the same way.

As soon as you start uploading pictures for use in your blog posts your site will grow a whole tree of folders starting at /wp-content/uploads.  These folders are created as needed by your WordPress blog and will start with a year and then a month.  So all of your images used in posts in April of 2009 will be stored in http://www.yourblog.com/wp-content/uploads/2009/04.

Armed with this knowledge and the knowledge that many many webhosts out there will display a list of files and folders if you browse to a folder without an Index or Default page you can see exactly what content has been uploaded to a “unfixed” blog.  This is more of an annoyance than a security problem, but if your blog is heavy with high resoluton photograph this little problem allows vsitors in the know to rip down all your photos without ever needing to see the actual blog posts they belong with on the “front” side of your WordPress blog.  If you pay for bandwidth it could even get expensive.

If you would like to see exactly how widespread this problem is, click this link to a Google Search (should open in a new tab) that will show you your exposed backside looks to the Google indexing bots.  Currently Google sees about 148,000 of these.  If you would like to see if yours is one of them, just browse to http://www.yourblog.com/wp-content/uploads.  If you see a list of folders then you may benefit from this post.  If not, particularly if you get your blog’s homepage or a 404 error, you are in great shape!

There are many ways of addressing this problem for WordPress users who are experiencing it.  One way is through editing the main .htaccess file in the root of your WordPress install, but I am of the firm opinion that most WordPress users should stay out of that file to avoid messing up their permalinks.   Instead, we will use a .htaccess solution that allows us to avoid touching the main file.

A dot htaccess file allows you to tell the webserver to behave differently for a folder and the folders underneath the folder where you upload the file.  If you are a Windows user, you may want to work on a file called htaccess.txt for this next part and rename it to .htaccess when its up on your server.

What we are going to do here is essentially sew the flap closed on the back of the WordPress hospital gown and direct people who try to look at your butt to another location.

We will do this with two lines of text.  Its that easy.

Instructions

1. Open your favorite text editor and create a file called .htaccess (or htaccess.txt).
2. On the first line, enter:

   Options -Indexes

3. On the second line enter:

   ErrorDocument 403 http://blog.techfun.org
   
   Replace the http://blog.techfun.org to your blog’s homepage or Search or 404 page if you have one.

4. Save the file.
5. Upload the new .htaccess file to the wp-content folder on your site.  (Be Very Careful doing this to ensure you upload to the wp-content folder and not your root WordPress Folder.  The .htaccess file in the root has an important and special purpose in handling your custom permalinks and should not be overwritten.)

The first line tells the server use the option Indexes.  This tells the server not to generate a webpage listing files and folders in the absense of a true start page for that folder and its child folders.  This will cause the webserver to generate a 403 Error instead.  We all know a 404 Error means “resource not found” essentially.  The 403 Error means the viewer does not have permission to view the resource.  In this case, the resource is the directory listing of your wp-content folder and its subfolders.

That first line does the real work.  The second line tells the server what to do when issuing a 403 Error in that part of the WordPress site.  In my example, after the server issues the 403 Error it sends the visitor  to homepage of my blog.  This could be any URL or even a file on the server

If you would like to know more about the magic that is the .htaccess file, check out http://httpd.apache.org/docs/1.3/howto/htaccess.html

I’d like to thank @tcwaters & @ellejohara on Twitter for encoruaging me to write this and Heather Weaver over at GeekMomMashup.com and BellaTwilightShop.com for testing this process out before it went live on her HostGator account.