[wp-trac] [WordPress Trac] #50076: /wp-includes/css/ needs an index.php file
WordPress Trac
noreply at wordpress.org
Mon May 4 14:50:59 UTC 2020
#50076: /wp-includes/css/ needs an index.php file
-------------------------+-----------------------------
Reporter: AnotherDave | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: General | Version: 5.4
Severity: normal | Keywords: needs-patch
Focuses: privacy |
-------------------------+-----------------------------
WordPress does not include an index file in /wp-includes/css/ , and that
leaves it open to search engine indexing, makes the content visible to
anyone, can lead to information leakage, and causes the test at
https://sitecheck.sucuri.net to report site as "Medium Security Risk".
Savvy users can of course add the option in htaccess to not allow access
to folders with no index file, and many users can upload a blank index.php
to the /wp-includes/css/ folder, but that still leaves two issues:
1. Some users / site owners do not know how to edit htaccess or upload a
blank index file.
2. When it comes to the htaccess option (or using a security plugin to
block access to directories missing index files) - Some site owners have
the need for other folders hidden in their hosting account to be
accessible without an index file in their particular hidden folders.
Would it not be best if WordPress core came with an index.php file already
in /wp-includes/css/ upon installation?
I would have submitted this on the WordPress HackerOne program, this issue
apparently doesn't meet their criteria.
--
Ticket URL: <https://core.trac.wordpress.org/ticket/50076>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list