WordPress.org

Make WordPress Core

Opened 6 months ago

Closed 6 months ago

#50076 closed enhancement (duplicate)

/wp-includes/css/ needs an index.php file

Reported by: AnotherDave Owned by:
Milestone: Priority: normal
Severity: normal Version:
Component: Bootstrap/Load Keywords:
Focuses: Cc:

Description

WordPress does not include an index file in /wp-includes/css/ , and that leaves it open to search engine indexing, makes the content visible to anyone, can lead to information leakage, and causes the test at https://sitecheck.sucuri.net to report site as "Medium Security Risk".

Savvy users can of course add the option in htaccess to not allow access to folders with no index file, and many users can upload a blank index.php to the /wp-includes/css/ folder, but that still leaves two issues:

  1. Some users / site owners do not know how to edit htaccess or upload a blank index file.
  1. When it comes to the htaccess option (or using a security plugin to block access to directories missing index files) - Some site owners have the need for other folders hidden in their hosting account to be accessible without an index file in their particular hidden folders.

Would it not be best if WordPress core came with an index.php file already in /wp-includes/css/ upon installation?

I would have submitted this on the WordPress HackerOne program, this issue apparently doesn't meet their criteria.

Change History (2)

#1 @jonoaldersonwp
6 months ago

Good catch. This feels like an easy win.

#2 @ocean90
6 months ago

  • Component changed from General to Bootstrap/Load
  • Focuses privacy removed
  • Keywords needs-patch removed
  • Milestone Awaiting Review deleted
  • Resolution set to duplicate
  • Status changed from new to closed
  • Version 5.4 deleted

Hello @AnotherDave, welcome to WordPress Trac!

Thanks for the report. Directory listing is something that is better handled on the server level (Apache, nginx). As mentioned in #18546, there are a few more directories without a default index file. I'm going to close this ticket as a duplicate to keep the discussion in one place.

Note: See TracTickets for help on using tickets.