There seems to be an issue with some hosting providers where your file structure is left exposed by default. This mean that hackers / others can see the files that are in the folders on your webserver and obviously this is potentially a dangerous situation.

Here is how you test to see if you are affected:

Call up this URL, remember to change YOUR-DOMAIN to your domain name plus the .com or .co.uk etc:

http://www.YOUR-DOMAIN/wp-content/plugins/

By doing this you are directly asking the webserver to show you the plugins folder. If you are affected by the security issue you will see this:

The above screen shot is a file listing of your plugins folder.

This example is for a WordPress install but If you don’t have a WordPress blog – you may still be affected try and locate a folder on your server and all it directly like this:

http://www.YOUR-DOMAIN/your-folder-name/

You might think: “Well so what?” but the security implications are that any folder that is on your server can potentially be viewed like this because it means that your hosting account has not been fully configured. Imagine if you have an SQL back up of your blog sitting in an uprotected folder, anyone with a bit of trial and error can find it and download it.

I had this problem on this hosting account, it seems that some providers leave it up to you to figure out what the problem is and for you to sort it out. Fortunately for me I knew what the issue was and how to fix it, so now I’m going to tell you. It’s so simple I really don’t know why the ISP’s don’t just configure it like this to begin with.

Fixing the exposed file structure issue

All you need to do is add a simple line of code to your .htaccess file. This file (.htaccess – yes it does have a dot in front of its name) sits in the root of your hosting account and tells the webserver all the extra stuff you have configured. And in this case it tells it:

Options All -Indexes

That’s all you have to add to the .htaccess file to protect all you folders from being viewed in this hosting account.

Two ways to do it

The first way

Boot your FTP program and connect to your hosting account, then look in the root (the first level) of your hosting for the .htaccess file. Once you have located it, download it – a word of caution here on some computers (Apple Mac namely) when you put a ‘dot’ infront of a file name it makes it invisible, the file is still there – but you can’t see it. So it might be wise to change the name of it before you DL. *** Remember to change the name back in the account as soon as you download – just in case you don’t do the amend straight away. Your .htaccess file is important to your blog and you shouldn’t leave it in a renamed state. ***

Once downloaded you should open it in a text editing program (not Word, never open a server document in Word… ever) use something like notepad. Add the above bit of code on its own line at the end of all the code that’s already there.

Save and re-upload. TIP: Here is what I do, to make sure I don’t mess up my install, I rename the existing .htaccess to something like .htaccess_OLD, I then upload my new one called just .htaccess – then I test my site still serves. If it doesn’t I can always roll back to my original file while I sort out what I have done wrong. If it’s all OK I just delete the _OLD file.

The second way

If you are hosting with an ISP that provides you with a cPanel, then it’s even easier. Login to your cPanel and find the icon option called: IndexManager. Click it and choose the root options (if you get a pop up window). When you see the next screen that lists the files in the root of your account, click on the / public_html / (Current Folder) words. This takes you through to another screen that asks you to choose your indexing type, choose “No Indexing” and hit save. Go to your site and check that it’s still serving OK.

Now you need to call the previously exposed folder again and if all has gone to plan you should now see your blogs error page and not your file listing.

Please take care when you are editing any server files and don’t ever open them in Word!

This post is for information only and if you edit your files please note that you do so at your own risk, no responsibility is accepted by bloggingrocket.com or it’s author should anything go wrong with your hosting account / blog website. Also note that this code adjustment alone isn’t a guarantee against being hacked.