WordPress Security Tip: Get Rid of Hello.php!
Friday, March 20th, 2009
Today we will cover a quick WordPress security tip. The other day while I was browsing some wordpress security notes, the article mentioned adding an index.html file to your plugin folder to prevent anyone from snooping around your directory. This is an excellent tip, but not the one we will cover today.
The Problem
The problem I realized (and I am not claiming I am the first to notice this, but I have never read this anywhere before) is that hello.php is included with every version and download of WordPress. The actual plugin is fine, and has no security holes to speak of, but the problem is that a lot of people don't delete this file (assuming they are not using it).
Why is this a problem?
Well, if a not so ethical user knows that every version of WordPress comes with the hello.php plugin file, he/she can simply navigate to http://yoursite.com/wp-content/plugins/hello.php. The security issue here is that when the user directly accesses the url as seen in the previous sentence, then most likely an error message will be displayed with your full server path exposed. This is not a good thing, you do not want people knowing your servers full path, this gives theme insight and more information about your server and increases the chance of a hack/crack.
I visited a lot of very popular sites that I know that run WordPress and was amazed to see how many errors I could produce and full server paths I was able to find. In addition, I was able to browse the parent directories of a lot of blogs by simply going to http://yoursite.com/wp-content/plugins/.
What to do?
- Remove hello.php assuming you are not using it. If you are then rename it something unique.
- Add a blank index.html file to your plugins and theme folder (credit to Prelocav for this tip).
I am considering looking more into this and possibly starting a ticket or thread to see if WordPress will do anything about this, it really is a pretty obvious security issue. I know they won't want to remove hello.php from future versions, but besides telling people to delete or rename it, I don't see many alternatives. What do you guys think?
If you enjoyed this article, you might consider subscribing to our rss feed to stay updated with all the latest tips and articles!
Article Sponsored by:
The Ultimate Image Gallery Manager was created by Drew Douglass, the site editor here at Dev-Tips. The Ultimate Gallery is installed directly on your server, just like WordPress or a CMS. It quickly and easily allows you to manange thousands of image galleries and images from it's easy to use backend admin panel. It's also packed full of photo editing features. Available exclusively on ThemeForest.
ABOUT THIS AUTHOR
24 Comments
subscribe comments feedLeave a Reply
Popular Series
Related Posts
Well pointed out! I think an alternative for WP to removing hello.php, would be to mute the error. Either that, or provide some sort of error handling that didn’t expose the server path.
I’ve updated a number of my WP sites already. So thanks!
Glad to hear you found it helpful. You could provide some sort of error handling but I worry that the average user will have no idea what this even means, which is why I suggested it be removed
Great tip!
Another tip is to change the default ‘admin’ user with a random character string and keep it in a safe place, create a new account for day to day use, if your account is ever compromised you can get in!
Hey Meshach,
Thanks for the tip and your comment
No problemo!
Some really nice tips here!! Thanks for sharing
No problem, glad you enjoyed!
Thanks for pointing out this issue, I was not aware of it before actually.
If your sites are located on a cpanel box and you have root (shell) access, one quick way of removing all copies on multiple WordPress installation (installed in accounts root directory) is to use the following commands.
cd /home
rm -Rf */public_html/wp-content/plugins/hello.php
Sure beats having to manually ftp to each installation to remove one file.
Great tip, that would certainly be easy for people that have access and arent afraid to enter a few simple commands.
Thanks a lot for this, I noticed this on Twitter and had to see what was going on. I never noticed the missing index.html in the directory either. Updating some websites now.
Thanks for your comment, I’m glad you enjoyed the tip.
Thanks for sharing. We’ll be implementing this tip in all our on-going and forthcoming WordPress projects.
Another good thing to do, similar to adding a blank index.html, is to create an index.php file which redirects back to the website/blog URL.
What do you think?
I like the idea.
Or, redirect to a “404 page” telling them how naughty they’re trying to be
The far better solution here rather than deleting plugins (hackers will just look for another more critical one you can’t get rid of) is to set PHP to not report the errors to the browser. To do this, create a file named .htaccess with the following text in it:
# PHP 4, Apache 1.
php_value display_errors 0
# PHP 4, Apache 2.
php_value display_errors 0
# PHP 5, Apache 1 and 2.
php_value display_errors 0
That’ll tell PHP (in each of the most likely version combinations) not to send errors to the browser. It should already be logging them so you don’t need to see them in your browser window.
Argh, that stripped all the tags out. Here it is again:
# PHP 4, Apache 1.
<IfModule mod_php4.c>
php_value display_errors 0
</IfModule>
# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
php_value display_errors 0
</IfModule>
# PHP 5, Apache 1 and 2.
<IfModule mod_php5.c>
php_value display_errors 0
</IfModule>
I like that idea too.
Why not just turn off display errors in your php.ini?
Thats a wonderful tip and will surely do the trick for any developers that know what they are doing. I worry though that the basic user that does not know much about code will have no idea how to implement any error control techniques, which is why I suggested they delete it and add an index.html file, to make it easy for basic users
Thanks for the great tip and your comment.
Hi Drew,
Many thanks for this tip. Have done the changes on my site too.
Good tip but who in their right mind would allow any error message to ever be shown to an end user on a production machine.
Its very easy to create a custom error handler in PHP that will send the admin an email/SMS when there is an error and show a nice error page to the user.
Easy for who? You and I and other developers? Sure. As I have said in the comments, I worry about *normal and non tech savvy* users (many of which use WordPress) that would have no idea where to start when it comes to setting up a custom error handler script. Again, I agree that is the best idea but not practical for everyone.
Thanks for the article. I’ve always used an empty index.php or index.html (sometimes I’ll place a message, “Aha, gotcha!”) on directories that I don’t want people to have access to. You’ve pointed out a very true issue of hello.php – it comes with every single WP installation and most people will most probably leave it there instead of remove it. Anyway, it is highly recommended that one removes the files of plugins that aren’t activated to reduce server load too.
Back to the issue of the topic, I’m wondering if there are any hackers or people alike who would actually compile all the names of popular WP plugins and then do a brute force attack on a server. Sounds pretty pointless, but it’s just a personal observation. I guess the .htaccess lines provided by Sean will be very useful
Thanks for the article! I just deleted hello.php from my server too.
Hello,
Now in Word press 3.0.1 , this file has been removed.
but any ways Thanks dude.
Just wondering if you can help me?
Trying to login to my admin and I get this
Fatal error: Call to undefined function is_rtl() in /home/alisatil/public_html/blog/wp-content/plugins/hello.php on line 64
so I can’t get into my dashboard at all. Came across your site, and wondered if I deleted hello.php would it fix my problem?