Direct File Access Call Prevention for Directory Starter and its child themes.
This topic contains 18 replies, has 4 voices, and was last updated by Stiofan O’Connor 7 years, 3 months ago.
We have moved to a support ticketing system and our forums are now closed.
Open Support TicketTagged: Code Errors, php, theme, Vulnerability
-
AuthorPosts
-
August 20, 2017 at 5:36 am #392036
I would like to know if it’s NOT good, if I modify the index.php file to prevent direct file access call on browsers using the default known wordpress directory.
This is one of the Error, Just add this to your site:-
https://www.YourWebsiteName.com/wp-content/themes/directory-starter/Fatal error undefined function get_header() in index.php on line 1
I tested the fix code:
<?php if (function_exists('get_header')) { get_header(); } else { $url = "/"; header("Location: " . $url); exit(); get_header();
OR THIS CODE
<?php if ( ! defined( 'ABSPATH' ) ) { exit; } get_header();
IT WORKS But Another Error comes at another line.
So Is that ok to continue with these errors?
August 20, 2017 at 6:35 am #392037Can you not just turn off directory browsing at the server level?
Or install WP admin in another folder: https://codex.wordpress.org/Giving_WordPress_Its_Own_Directory ?Thanks
August 20, 2017 at 6:59 am #392038Guust
Changing the directory of the WordPress doesn’t help to hide the site structure from scanning. In fact the server level site structure prevention might a help a lot, and I even tried to do so using .htaccess override. But I think overriding is disabled for security reasons on shared hosting, and that is the bad side of shared hosting, but I am thinking to tell the hosting provider for help. And I am hoping this is the only solution.
And I was also expecting another solution, if you guys have a solution regarding coding. So I will try the server side modification.
Thank you.
EphremAugust 21, 2017 at 10:22 am #392119Hi Ephrem,
I would not worry about it, almost every WP site is like this and has no problems.
Stiofan
August 21, 2017 at 12:09 pm #392132Stiofan
Yes most of WP sites are like this including the showcase sites in GeoDirectory websites. I scanned mine and their website too. But That means the theme or plugin is outdated even it’s working and profitable, it needs to be updated. I still like your Core Plugin from the beginning of the time I read the blog recommendation post about directory themes and plugins.
But If I care about clean coding, you have to clean for the satisfaction of your new and old customers.
So far So good! I hope I will be your real partner in the future from my country.
Thank you 🙂
Ephrem F. AsratAugust 21, 2017 at 2:15 pm #392173I am not sure what you are asking?
I think you are asking to add a check to the theme index.php for some reason?Non of the WordPress default themes do this, and i think they know what they are doing…
https://github.com/WordPress/WordPress/blob/master/wp-content/themes/twentyseventeen/index.php
https://github.com/WordPress/WordPress/blob/master/wp-content/themes/twentysixteen/index.php
etc..Thanks,
Stiofan
August 21, 2017 at 4:15 pm #392188Stiofan
I am not confused. I am just asking to have a clean code if it is possible. But if that is just fine fine and free from vulnerability, I am cool.
Thank you
Ephrem F. AsratAugust 21, 2017 at 4:47 pm #392197There are no problems.
Stiofan
August 22, 2017 at 4:53 am #392253Yes there is. Trust me. If you allow me, Let me use all add-ons without paying any penny.
August 22, 2017 at 10:12 am #392277At this point i really have no idea what you mean or are on about, sorry…
Stiofan
August 22, 2017 at 4:12 pm #392330One can see site structure using different methods, but errors like I mentioned above is one of the way that reveals the site structure. So one can get a hint to scan the whole site with best scanning software and steal sensetive data.
August 22, 2017 at 4:17 pm #392334The error output is dependent on the server, no errors should be shown on a production server, this has nothing to do with GeoDirectory!!
August 22, 2017 at 5:38 pm #392360So you are saying, they (The Hosting Company) can make the error not to be revealed from the server side only?
August 22, 2017 at 5:44 pm #392362That’s correct, please try to get any sensible info from any of the sites of our demo:
If you are able to do so and outline how you did it, we’ll provide a lifetime license for all of our products.
If you are not, please stop posting on this forum for similar things.
Thanks
August 22, 2017 at 5:46 pm #392364Oh Paolo That’s great and wait for me…
Do you consider the plugins and theme file sensable?
-
AuthorPosts
We have moved to a support ticketing system and our forums are now closed.
Open Support Ticket