Opened 13 years ago
Last modified 5 years ago
#17619 new enhancement
Soft 404 at /wp-content/plugins/
Reported by: | miqrogroove | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | General | Keywords: | has-patch 2nd-opinion |
Focuses: | Cc: |
Description
/wp-content/plugins/index.php would be better written with a proper 404.
<?php header('HTTP/1.0 404 Not Found'); // Silence is golden. ?>
Attachments (3)
Change History (19)
#2
@
13 years ago
Technically, there is nothing in the response entity, so either 403 or 404 is appropriate.
#4
@
13 years ago
As per RFC2616 if a reason is to be given for denying access then 403 should be used, otherwise 404 should be used. In this case I would say 403 would be the better response code with a reason included for forbidding access.
#6
@
13 years ago
If this is going to change, then it should change for all wp-content directories, i.e., /themes and /uploads also.
#9
@
13 years ago
- Keywords has-patch added
I feel that a 403 would be a more appropriate response since there is actually a directory, just not that one permit access to access it.
#13
@
9 years ago
- 404 = Technically wrong, it's not a missing resource, the resource is deliberately empty
- 403 = Slightly more appropriate, has precedent in [30356]
- 200 = Entirely valid IMHO, It's just an empty response to prevent directory listings.
If a committer feels strong enough for a 403, go for it.
#16
@
5 years ago
- Keywords 2nd-opinion added
- Milestone set to Future Release
Copying the detailed description over from #46286, which was just closed as a duplicate:
Direct requests to system file structures/folders (e.g., https://yoast.com/app/wp-content/) currently return a blank page with a 200 HTTP status. This informs search engines and agents that the page/state is 'okay', which may result in them being crawled, indexed, or otherwise exposed.
This causes a number of SEO and analytics headaches, and, is generally poor practice.
Whilst these directories/files technically do exist, and therefore arguably should return a 200 status, the important thing to consider is that no user-facing page/content exists at the URL. We're not trying to represent the 'physical' file structure of the site (which we're already extremely abstracted from), we're trying to signpost what is, or isn't, a valid page/response. That an actual file/folder resides at the requested URL is irellevant.
In the short-term, we should simply set a 404 header in all 'Silence is golden' templates.
In the long-term, we should aim to find a way to allow all request to 'Silence is golden' files to return the 404 template of the active theme. This may come with complexities, where we can't rely on system configurations/capabilities or folder structures to be consistent between sites.
As an aspiration, we should aim that all requests to a WP site return an appropriate HTTP status and experience based on the user's context, regardless of the actual file/directory structure.
Props @jonoaldersonwp, @vanyukov, @santilinwp for their discussion and work over there.
Shouldn't it technically be a 403?