Last week, I wrote about how to keep hackers out of your WordPress website. Out of the box, WordPress provides a secure platform for business websites. There are some sensitive data exposures you need to be aware of. The issue is not a WordPress problem but a web server issue. WordPress protects some directories from viewing by adding an index.php file containing an opening <?php code. This prevents the web server from showing a list of the files in a directory. Try these tests to see what data your WordPress website exposes.
Try these tests
Enter the following into the address bar of your web browser (replace domain.com with your own domain name).
You should see a blank page (your web server is hiding the contents of the folder).
See any sensitive data?
You should see a list of the files in the uploads folder. Some WordPress users upload sensitive files (via the WordPress Media control). Check the list of files output to ensure that you don’t have any files in the uploads directory you don’t want people to see. Also, check any subdirectories.
Some WordPress backup plugins store their backups in the uploads folder. To see if your backup plugin stores a copy of your website backup, use the following:
site: domain.com inurl:”wp-content/uploads/db-backup”
site: domain.com inurl:”wp-content/uploads/backup”
If you use BackUp Buddy for your WordPress website, use the following:
site: domain.com inurl:”wp-content/plugins/backupbuddy”
If you use All In One WP Migration, use the following:
site: domain.com inurl:”wp-content/ai1wm-backups”
Look for any backup files that exist in these directories. A potential hacker can download a backup of your website. With the backup, they can potentially gain access to your user accounts.
Examples of sensitive data exposures
To see some websites with sensitive data exposures, try the following:
The results may surprise you!
If you find any potentially sensitive data exposures on your website, take steps now to remove the access to sensitive data.
You should run a security check on your website on a regular basis. Don’t help hackers by providing access to sensitive files. Although WordPress is secure out of the box, there are several web server tests that you can run to help identify potential sensitive data exposures.
Need help checking your WordPress website security?