Direct File Access Call Prevention for Directory Starter and its child themes.

We have moved to a support ticketing system and our forums are now closed.

Open Support Ticket

Tagged: Code Errors, php, theme, Vulnerability

Author

Posts
August 20, 2017 at 5:36 am #392036
Ephrem Asrat
Free User

Post count: 21
I would like to know if it’s NOT good, if I modify the index.php file to prevent direct file access call on browsers using the default known wordpress directory.
This is one of the Error, Just add this to your site:-
https://www.YourWebsiteName.com/wp-content/themes/directory-starter/
```
Fatal error undefined function get_header() in index.php on line 1
```
I tested the fix code:
```
<?php

   if (function_exists('get_header')) {
    get_header();
  } else {
    $url = "/";
    header("Location: " . $url);
    exit();

get_header();
```
OR THIS CODE
```
<?php

if ( ! defined( 'ABSPATH' ) ) {
	exit;
}

get_header();
```
IT WORKS But Another Error comes at another line.

So Is that ok to continue with these errors?
August 20, 2017 at 6:35 am #392037

Guust
Moderator

Post count: 29970

Can you not just turn off directory browsing at the server level?
Or install WP admin in another folder: https://codex.wordpress.org/Giving_WordPress_Its_Own_Directory ?

Thanks

August 20, 2017 at 6:59 am #392038

Ephrem Asrat
Free User

Post count: 21

Guust

Changing the directory of the WordPress doesn’t help to hide the site structure from scanning. In fact the server level site structure prevention might a help a lot, and I even tried to do so using .htaccess override. But I think overriding is disabled for security reasons on shared hosting, and that is the bad side of shared hosting, but I am thinking to tell the hosting provider for help. And I am hoping this is the only solution.

And I was also expecting another solution, if you guys have a solution regarding coding. So I will try the server side modification.

Thank you.
Ephrem

August 21, 2017 at 10:22 am #392119

Stiofan O’Connor
Site Admin

Post count: 22956

Hi Ephrem,

I would not worry about it, almost every WP site is like this and has no problems.

Stiofan

August 21, 2017 at 12:09 pm #392132

Ephrem Asrat
Free User

Post count: 21

Stiofan

Yes most of WP sites are like this including the showcase sites in GeoDirectory websites. I scanned mine and their website too. But That means the theme or plugin is outdated even it’s working and profitable, it needs to be updated. I still like your Core Plugin from the beginning of the time I read the blog recommendation post about directory themes and plugins.

But If I care about clean coding, you have to clean for the satisfaction of your new and old customers.

So far So good! I hope I will be your real partner in the future from my country.

Thank you 🙂
Ephrem F. Asrat

August 21, 2017 at 2:15 pm #392173

Stiofan O’Connor
Site Admin

Post count: 22956

I am not sure what you are asking?
I think you are asking to add a check to the theme index.php for some reason?

Non of the WordPress default themes do this, and i think they know what they are doing…
https://github.com/WordPress/WordPress/blob/master/wp-content/themes/twentyseventeen/index.php
https://github.com/WordPress/WordPress/blob/master/wp-content/themes/twentysixteen/index.php
etc..

Thanks,

Stiofan

August 21, 2017 at 4:15 pm #392188

Ephrem Asrat
Free User

Post count: 21

Stiofan

I am not confused. I am just asking to have a clean code if it is possible. But if that is just fine fine and free from vulnerability, I am cool.

Thank you
Ephrem F. Asrat

August 21, 2017 at 4:47 pm #392197

Stiofan O’Connor
Site Admin

Post count: 22956

There are no problems.

Stiofan

August 22, 2017 at 4:53 am #392253

Ephrem Asrat
Free User

Post count: 21

Yes there is. Trust me. If you allow me, Let me use all add-ons without paying any penny.

August 22, 2017 at 10:12 am #392277

Stiofan O’Connor
Site Admin

Post count: 22956

At this point i really have no idea what you mean or are on about, sorry…

Stiofan

August 22, 2017 at 4:12 pm #392330

Ephrem Asrat
Free User

Post count: 21

One can see site structure using different methods, but errors like I mentioned above is one of the way that reveals the site structure. So one can get a hint to scan the whole site with best scanning software and steal sensetive data.

August 22, 2017 at 4:17 pm #392334

Stiofan O’Connor
Site Admin

Post count: 22956

The error output is dependent on the server, no errors should be shown on a production server, this has nothing to do with GeoDirectory!!

August 22, 2017 at 5:38 pm #392360

Ephrem Asrat
Free User

Post count: 21

So you are saying, they (The Hosting Company) can make the error not to be revealed from the server side only?

August 22, 2017 at 5:44 pm #392362

Paolo
Site Admin

Post count: 31206

That’s correct, please try to get any sensible info from any of the sites of our demo:

http://wpgeo.directory

If you are able to do so and outline how you did it, we’ll provide a lifetime license for all of our products.

If you are not, please stop posting on this forum for similar things.

Thanks

August 22, 2017 at 5:46 pm #392364

Ephrem Asrat
Free User

Post count: 21

Oh Paolo That’s great and wait for me…

Do you consider the plugins and theme file sensable?
Author

Posts