This blog post explains what is WordPress sensitive information leakage, what risks it includes, and how to stop it.
Hackers often use search engines like Google to find WordPress websites with vulnerabilities. Once with a website with a vulnerability is located, they will launch an attack to manipulate the site in some way.
This process is only possible on WordPress sites thanks to information leakage — where sensitive information about the configuration of a website can easily be obtained by a hacker.
This guide will take a closer look at WordPress sensitive information leakage, and the kinds of information hackers find useful when searching for vulnerable websites.
We’ll also explain how to secure your WordPress website and keep it from being detected by hackers.
Information leakage can give hackers access to information including:
Hackers will use this information to launch attacks that target specific vulnerabilities in the software that your website runs on.
Having this kind of information makes SQL injection attacks, malware installations, and brute force attacks easier to orchestrate.
Many hackers use Google Dorking (read more about SEO spam and cloaking here) to locate websites that have software with a specific vulnerability they can use.
Dorking involves using advanced search operators in the Google search engine to find certain strings of text. Dorking can also be performed on other search engines like Bing and Yahoo.
Hackers will perform searches on Google that use the following operators:
This operator will make the search engine only return results from certain websites. For example, you could search for site:youtube.com, and it will only return results from YouTube.
You can also limit your search to a specific filetype. For example, filetype:php site:youtube.com will only return the names of PHP files found on YouTube relating to a specific search.
This operator will return pages that have a specific string in the title of the page.
For example, searching for site:youtube.com intitle:”Index of” will return pages from YouTube with a title containing “Index of”.
The problem here is that “Index of” appears in the title when a website is returning raw directory results that display the names of all files the directory contains — which may expose website vulnerabilities.
You can also look for search engine results that feature a certain word in the URL.
For example, you can search for site:youtube.com inurl:admin and it will return all pages with the word admin in the URL — helping the hacker find the location of your administration section.
This operation will allow someone to search Google’s cache of web pages.
There are no security protocols for returning data when using these operators. Google will return whatever they have found, be it a link to your administration section or a list of private folders that you have on your server.
It is up to you to take steps to ensure search engines don’t find and retrieve this kind of information. These operators can be used by hackers to find:
Performing a search like filetype:php site:yoursite.com may help hackers identify PHP files that are not normally available to website visitors.
Hackers will be able to test these files to determine if they have any vulnerabilities or send the files information they are not prepared to handle.
If you have accidentally stored a website backup in one of your website’s public directories, it may become available via dorking.
Hackers may use a search like filetype:tar.gz site:yoursite.com to find file backups or filetype:sql site:yoursite.com to find database backups.
Dorking can be used to locate files that have programming errors on your website. Depending on the security settings of your site, these pages may return sensitive information like paths to files or database usernames.
To perform this kind of search, the hacker may use site:yoursite.com “warning” “error”.
If your website has not correctly secured its directories, it is possible that directory listings are available, showing links to files that can sometimes be downloaded.
This is a problem if you have accidentally left files with sensitive information on your website. A hacker might use a search like filetype:txt “login” site:yoursite.com to find text files containing the word login.
Many websites keep additional applications and release management systems on subdomains.
These resources may not be as secure as the main website or maybe development platforms not designed for the general public. Hackers can use the query site:.*yoursite.com to find these resources.
Here are just a few of the ways that WordPress dorking can be used to find potential hacking targets or sensitive information about websites.
Hackers can use “index of” inurl:wp-content/ to find WordPress websites with the contents of their wp-content folders displayed online.
This can help the hacker find folders and files with the wrong permissions or examine the types of plugins you are running.
They can also take any sensitive information that you have stored in these folders. Running this search gives us more than 12 million results.
Once a plugin has been found to have a certain vulnerability, hackers will share details of it. They can then use Google dorking to find websites that have the vulnerable plugin installed by using a search like inurl:/wp-content/plugins/plugin-name/
There have been some serious vulnerabilities in the WordPress source code over the years. While these issues get patched fairly quickly, not all website owners update their website when necessary.
Hackers will often find these insecure websites by searching for the ReadMe file included with WordPress then checking the version number it contains.
They will use inurl:”wordpress readme.html” to obtain a website’s WordPress revision number or inurl:”wp readme.html” to find a version of a plugin.
A search like filetype:sql intext:wp_users phpmyadmin will find SQL file dumps that have come from WordPress websites.
Server logs often include information that is useful for hackers, including details of files that have errors, server configuration information, and file paths.
They often use the search inurl:log -intext:log ext:log inurl:wp- to find log files on WordPress sites.
Fortunately, it is relatively simple to protect your website’s sensitive information and to prevent search engines from indexing it.
Sensitive files like security certificates, trade secrets, file backups, and database backups should not be stored in folders that may be accessed by the public.
That means they should never go into a folder which is directly exposed to the Internet.
Directory browsing allows visitors to browse through the directories on your website via their web browser. It also allows search engines to index the content of each folder — which is how hackers find those files via dorking.
WordPress includes an empty index.php file in the uploads, wp-content/themes, and wp-content/uploads directories to stop visitors from being able to browse these directories.
However, the subfolders may remain still browsable. To ensure no directories can be browsed on your website, simply add the following line to the .htaccess file in your WordPress installation folder:
The WordPress uploads folder is targeted for uploading malware to a website because it usually has weaker permissions.
One simple way to prevent people from uploading executable PHP files is to create a .htaccess file in the uploads folder and add:
<Files *.php> deny from all </Files>
You should only allow your web application to provide detailed error reporting or debugging information when it is being tested.
You should always hide this information on production servers as it might be useful to hackers. Open up your wp-config.php fil.
Look for a line that says define(‘WP_DEBUG’, false); or define(‘WP_DEBUG’, true); Replace it with:
ini_set('display_errors','Off'); ini_set('error_reporting', E_ALL ); define('WP_DEBUG', false); define('WP_DEBUG_DISPLAY', false);
A robots.txt file is used to give information to search engine bots that are scanning your website. One of the things it allows you to do is tell search engine bots which page you don’t want them to scan.
At first glance, you might think this is a great way to stop Google from collecting sensitive information about my website to display online!
The only problem is, hackers will also scrape robots.txt files from websites to discover the folders and files that the website owner doesn’t want search engines to know about. Robots.txt files can actually become a source of information leakage.
A better option is placing a meta tag into pages that you don’t want to see indexed. Simply add:
<meta name="robots" content="noindex">
If you really want to secure your WordPress uploads folder, you could consider moving it. This does involve adding some code, but it is a worthwhile step if you are very security conscious. View this tutorial to learn how.
You can also add server-side password protection to sensitive folders like uploads, wp-content/themes, wp-content/plugins, wp-admin, and wp-content/uploads. It is a relatively simple process:
Create a file called 401.html and inside that file add text similar to “Authentication required! You need a username and password to access this area.”
Next, create a .htaccess file, and inside of it, add (you will need to alter the AuthUserFile line to match the location of your .htpasswd file):
ErrorDocument 401 /401.html AuthName "Secure Area" AuthType Basic AuthName "Password Protected Area" AuthUserFile /path/to/directory/.htpasswd Require valid-user
Finally, create a .htpasswd file and upload it to the directory you are protecting. This file will include username and passwords in the following format:
You can read more about this process on the Apache website.
Even the type of server and its version is of interest to hackers. Fortunately, you can remove header information, so your server won’t broadcast what version it is.
You can remove the server signature on Apache by updating the ServerSignature directive in httpd.conf file:
Header unset Server ServerSignature Off ServerTokens Prod
If your website is storing custom cookies on the user’s browsers, use generic names. Always avoid using names that you use for corresponding database fields or tables.
If you pass other types of data to the user’s browser, remove important information like database IDs or database field names. Remember that hackers will also look at the internal data that your webpage uses, like AJAX responses.
The easiest way to deal with this source of information leakage is to simply remove all comments using a minification plugin like Fast Velocity Minify.
Use a third-party tool to determine if there are any vulnerabilities in your WordPress site.
For more security tips, subscribe to the site or follow us on social media.