Forum Topic: Block plugins scanning

Forum: .htaccess Forum : Security • Posted by Jeroen • Updated:

Hi Jeff,

I would really like to block the scanning for plugins. I get lots of requests like these

GET /wp-content/plugins/wp-property/action_hooks.php HTTP/1.1
GET /wp-content/plugins/custom-content-type-manager/index.html HTTP/1.1
GET /wp-content/plugins/front-end-upload/destination.php HTTP/1.1
GET /wp-content/plugins/wp-e-commerce/license.txt HTTP/1.1
GET /wp-content/plugins/wpstorecart/lgpl.txt HTTP/1.1

They are probably trying to see if I have any plugins with vulnerabilities.

Is there a way to redirect them to my 418 page without effecting the normal plugin usage?


4 Replies to “Block plugins scanning”

Posted by Jeff Starr

It can be done, depending on the plugin, but it can be complicated and is not recommended. Just too many pitfalls to blocking an otherwise open directory. One thing that does help, however, is to obscure the location of the WP install, such that everything (including the plugin directories) are not in the usual (or common) location. That tends to thwart a lot of these types of automated scans. Also I would search for any plugins or PHP scripts that are designed to “hide” the plugin (and other) directories.

Posted by Jeroen •

Thanks Jeff. You gave me some ideas. I was already busy writing a plugin that makes an inventory of all plugins installed and block access to any other none existing in htaccess. But changing the wp-content folder name into something else would already be good enough.

I’ll also see what Hide My WP can do.

Posted by Jeroen •

Ow, by the way, I didn’t receive an email notification of your reply.

Posted by Jeff Starr

Thanks for letting me know about that.. I had email replies enabled at one point, but it looks like one of the bbPress updates (or whatever) changed something along the way. In any case, I have re-enabled and tested email notifications, just click the box before clicking the submit button to be notified of replies. Thanks again for the heads up!