WordPress is the most popular blog engine. It is very easy to install and require almost no configuration changes to work on most servers. Shared hosting providers like GoDaddy even provide a One-click install to get it up and running. However unlike other frameworks, all of WordPress internal files are exposed. They are
.php files so you can't see the content by accessing the URL path but there are situations where the file content can be exposed. Moving these files out of the root folder would be a good idea.
Exposing the files
For WordPress to work, you copy the code base to a folder accessible through the web root. It may be the root folder itself. So your blog may be accessible through the URL like this:
This on its own is not a problem. When you access these URLs you are going through the
index.php file which will load the correct modules to display the blog. However there are other files you don't want users to access. The
wp-config.php file holds some very important information. Like the database username and password.
With the URL above you can access the file directly. Luckily it is a PHP file so the server interprets it and prints no content on the page. BUT! In some scenarios, the content of the file is made available to the public. A lot of text editors create temporary copies of a file when it is edited. For example, I use gedit to modify some files sometimes. When I edit
wp-config.php a temporary file called
wp-config.php~ is created. When the program is closed the temp file is supposed to be automatically deleted, but on some rare cases like application crashing it doesn't delete it. Now when you copy the folders to your server you end up copying these temp files too.
This file Will not be interpreted as a PHP but as a text file instead and the content will be printed on the page and all your credentials will be revealed. If you use the vim text editor the temp file will have a
.swp extension, also accessible as a text file.
These cases are not as rare as you might think. Any vulnerability is a vulnerability and if it can be avoided then might as well.
Moving WordPress core code to a non web accessible folder
WordPress makes everything accessible to facilitate installation. This is a good thing, but it is much more secure to make core files not available to malicious users. Here is a structure that could be more secure:
With this structure, only the
http folder is accessible through the URL. Files that needs to be accessed directly from the URL can be moved to the
http folder. Example: wp-trackback.php and xmlrpc.php. The core files will be tucked away in a safe place where only you have access.
This is just one thing that can be improve WordPress. From the user perspective nothing needs to change.
Maybe in WordPress 4.0
I hope WordPress developers consider taking this approach. But then again it is an open source project I can simply fork it and start working on it... maybe.