[wp-trac] [WordPress Trac] #18546: Add index.php to wp-includes and wp-admin/includes

WordPress Trac noreply at wordpress.org
Mon May 4 17:52:08 UTC 2020 

#18546: Add index.php to wp-includes and wp-admin/includes
-------------------------------------------------+-------------------------
 Reporter:  SergeyBiryukov                       |       Owner:  (none)
     Type:  enhancement                          |      Status:  reopened
 Priority:  normal                               |   Milestone:  Awaiting
                                                 |  Review
Component:  Bootstrap/Load                       |     Version:  3.2
 Severity:  normal                               |  Resolution:
 Keywords:  dev-feedback has-patch needs-        |     Focuses:
  refresh                                        |
-------------------------------------------------+-------------------------

Comment (by AnotherDave):

 @jonoaldersonwp - agreed and I appreciate you posting / supporting the
 need for index files to be present in all the core folders. While I am new
 to WordPress Trac, I'm definitely not new to server & site security. I've
 been running a small hosting service for over two decades and have done
 thousands of WordPress migrations & installs (among other PHP scripts).

 A lot of WordPress installs are on shared hosting and the host cannot be
 expected to implement a global measure - such as setting the servers to
 block access to all folders that do not contain an index file - since that
 would create issues for advanced users who are using their hosting for
 more than just WordPress and have created other important folders in their
 hosting accounts that they keep private and have a need to NOT have an
 index file in them.

 @Otto42 - Please don't take me as being argumentative when I say this is
 not a server configuration error - if a shared host were to globally block
 access to folders that do not contain an index file, not only would it
 break certain needed functionality for some clients, but it would also
 generate a ton of support tickets to the host. Instead, the best solution
 is PHP scripts such as WordPress to already have an index file in all of
 their core folders.

 As far as choosing index.php or index.html or index.htm - it won't make a
 difference which extension you use on a properly configured server, any
 one of them will do the job. The only consideration here really is the
 priority in which the host has their servers set to in regard to which
 extension takes precedence over the other. For example - my servers are
 set up so that the order is like this:
 index.html
 index.htm
 index.php
 Which means if an index.php file exists in the same folder as an
 index.html file, when a bot or browser visits that folder, it will load
 the index.html file instead of the index.php file (unless the index.php
 file is directly called / accessed). The reason I have that "pecking
 order" set on my servers is because some of my users are old-school and
 others just prefer to use a blank index.html in their public_html folder
 while setting up a new WordPress in scenarios when the site is actually
 live and getting traffic, to prevent current visitors from setting a
 WordPress install page. Another good reason to have index.html set as the
 priority over index.php is when a user has an old HTML website and they're
 making the transition to WordPress - it allows them a seamless transition,
 keeping their HTML site live while their new WordPress site is being
 developed in the background.

 In any case, when it comes to protecting a folder such as /wp-
 includes/css/ (which by default does not have an index file) , it doesn't
 matter if your blank index is a .html or .htm or .php (however, I would go
 with .php so that once WordPress does finally address this, their .php
 won't be overridden by .html) - but what matters is that there's a blank
 index there to prevent those contents from being indexed by search bots
 and so easily accessible to anyone. Not having an index file in that
 folder risks information leakage, in some cases hotlinking for malicious
 purposes, and will cause a site to rank lower on security test / check
 sites such as https://sitecheck.sucuri.net , and potential PCI Compliance
 issues if they're an e-commerce site.

 Apologies for the long post, but I hope someone finds the info useful.

 WordPress is an amazing piece of software on many levels and it's a
 fantastic solution for my clients of all types, so I'm not criticizing it.
 I'm asking - how hard would it really be for it to include a blank
 index.php file in each folder upon next version release, as opposed to
 over 8 years of users having to figure out what to do for their own
 protection? ;-)

-- 
Ticket URL: <https://core.trac.wordpress.org/ticket/18546#comment:20>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform

More information about the wp-trac mailing list