Fixing “full path disclosure” issues

Whether you’re running a web service or a blog, you should always keep your software fully patched to prevent attacks and minimize your attack surface. Another smart step is to prevent full path disclosures. For example, if your blog or service throws an error like

“Warning: require(ABSPATHwp-includes/load.php) [function.require]: failed to open stream: No such file or directory in /home/horace/public_html/wp-settings.php on line 21”

then by noting the full pathname from that error, an attacker could reasonably infer that your username is “horace” and use that try to guess your password. It’s not the end of the world if your attacker has that information, but why not make an attack as hard as possible?

For WordPress, here’s a couple ways to prevent full path disclosure vulnerabilities:
– In a php.ini file, you can add a line like “display_errors = off” (without the quotes).
– In an .htaccess file, you can add a line that says “php_flag display_errors off” (without the quotes).

It sounds like the php.ini approach might be slightly better, because some web hosts run PHP in CGI mode which might not allow php_flag or php_value directives in .htaccess files.

After you’ve made this change, php errors shouldn’t be shown to web clients. If you’re developing live code on a PHP installation, that can make debugging slightly less easy. But if you’re running (say) a blog, it’s probably better to turn off display errors for a little extra protection against attacking hackers.

47 Responses to Fixing “full path disclosure” issues (Leave a comment)

  1. sachin pratap

    this information is very useful because the hackers group are doing hack website. for example the facebook website has been hacked by a news. So please secure your website from hackers.

    dear matt can i use any antivirus for secure my website.

  2. Cool Matt 🙂 To be totally honest, I had never really considered this. Do you have any further information about website security that I can look into? I ask because I’m starting an ecommerce site and I really want to make sure it doesn’t end up screwed :-/

    • Erick, one of the best things you can do for a wordPress installation is to log in to phpMyAdmin and edit the user_nicename.

      By default, this user_nicename is an exact copy of your WordPress login username. This means anyone who looks at your WP author archive URL will see something like:

      http://www.yourwordpresswebsite.com/author/yourusername/

      If a human hacker or any brute force sub routine software obtains this information, they are in possession of 50% of what they need to hack your blog.

      Change the user_nicename to something different like “john-doe” and your author archive URL will look like this:

      http://www.yourwordpresswebsite.com/author/john-doe/

      Your real username is now hidden.

      I use InstantWP (an Apache simulator) to do all my development offline and this one of the first things I do when I create new user profiles in the WP dashboard. It’s especially important to remember to do this for multi author blogs.

      • Best thing to do with phpMyAdmin is delete it or better still do NOT install it at all learn to use the command line and a ssl connection secured by certificates.

  3. Thanks matt cut for this tips. I am using wordpress for most of my websites. Is this a nesscecery to apply or is there any other way? I am facing deface problems many times.

    Thanks

  4. Thanks Matt for this quick help, I watched a video a few days back “Hack WP in less than 2 Min” and he hacked a site with sql injection. Its a big problem with WP users. I’ll surly add these two lines in my php.ini and .htaccess file.

    Thanks,
    Irfan

  5. Thanks a lot. Your informations are always very useful and plenty of new good things. Now my question is have WordPress.com’s programmer used this approach to prevent hacker’s attacks (on the original website)?

  6. Great information, did not know about that. Thank you!

    @sachinpratap you can use plugins like Sucuri or Wordfence.

  7. Thanks Matt. It sounds great. I will have to figure out if my blog is having such errors.

  8. Hello,

    Great information Matt, thank you .

    Best regards
    Jimmy

  9. Info is nice. But without an internal crack in code such error can’t come up.
    Or can it be done by external injection?

  10. Good tip Matt, thanks. Some hosts do not use php.ini – instead you’d edit a file called phprc. I know DreamHost use the latter and their support would be able to help with this.

  11. [ Smiles ] I blog on the Blogger platform and I do not think that people who blog on that platform are plagued with those sorts of things (Even though there is a slight chance that I could be very wrong about that).

    Great post, Matt!

  12. Hello,

    Could we have a new warning phrase in the Google searches once a site is identified as a possible hack if pages in the search results once clicked instantly redirect to an alien landing page. This would really help to improve the overall user experience.

    Best Regards
    Jim.

  13. Agree while having the hosting account username displayed in the “full path”, means the password still has to be cracked, displaying these errors not just with WP but any site, could be detrimental.

    A couple of posters above mentioned the WP hackings. Which is more about why I’ve added a comment. Hope you don’t mind. I’m in online gaming industry and while there are people who have no scruples in this business, there are many others, like myself, who are hard working webmasters with solid ethics. These WP hackings which are in numbers of 100’s of thousands and are now attacking mainstream and Government sites, are literally overrunning Google serps with their blackhat gaming of the Google alog.

    I’m a sole trader so too are most of my affiliate peers. Reiterating we conduct ethical business and are not in the least bit dodgy. It’s a small number of rogue affiliates who are exploiting and hacking the WordPress sites. However and as always it’s the legit webmasters and mainstream sites who get hammered by the unethical actions of a few.

    Is Google aware of these mass hackings and are they working on trying to kick these hackers from the Index?

  14. You are right, I think It is always better to display the error through programming and not these system level arrays which may expose us to the potential hackers.

  15. I was waiting until you make a post about this Matt! ha! Thanks (:

  16. Thanks for sharing this valuable information. I am sure it will be an eyeopener for other developers as well as our customers. I have seen a surge in recent times especially on WP blogs, people leave their sites unattended and not updated for years and turn up only when the damage is done. Always be updated!

  17. If possible such as in this case never give the hackers even a tiny thread that you know what they are upto or something that they can grab onto. If they know they can potentially bypass.

  18. Hi, I work for a web design outsourcing company. WordPress has always been tricky when it comes to security. Usually people are conservative when it comes to updates is because sometime the update messes up their theme, so most wait it out until the WP theme developer comes up with an update.

    We usually close out most services that are likely to return a value that might aid an attacker.

  19. Dan

    For a better security at my wordpress sites I renamed directories, log in files and I also use another prefix for data base instead of the one known by _wp. I will also consider your solution, thank you!

  20. Matt my website had been hacked before 3 Months. After some weeks my website keywords losing their top position. I have fixed that hack problem. So keywords will rank again or they had lost their real worth and again i have to start from Zero?

  21. Hey Matt, thanks for the heads-up. Some of our blogs have been dealing with related problems in the last few months, and we’ve dealt with them in various ways. We’ve yet to try the above mentioned method, and we’re pretty excited to try it out.

  22. Well, That is probably why I use Blogger. No worries about paths and stuffs

    • True the Blogger Platform is good, however, last time I used it, before going to WP was in 2009. And I changed to WP because I couldn’t retrieve my data from my Blogger DB. I was running it own my own domain. If I could backup my own data, then I’d probably have stayed.

  23. I’d be curious to know what your thoughts are on building goals for a new blog. Mine is about 6 months old so it is constantly evolving

  24. Hello Matt, That’s wonderful.

  25. That is a great idea because hacking or attempts at hacking into websites is really common. It is also good to change the default login user and make it something hard to guess. I had to use a firewall for one of my sites because of the hacking.

  26. Tom

    Thanks for sharing this wonderful information with us Matt. We were not aware of this type of issues before. By reading this we can able to protect blog from this type of errors.

  27. Very good advice. Prevent an attack on wprdpress is the best remedy before we have a major problem.

  28. Thanks Matt, this will surely help many of us.

  29. TOR

    As we are talkng about security TOR is a network where you can stay safe online and not get tracked. Download the browser

    https://www.torproject.org/download/download

  30. Thanks so much, I am waiting from you. My website is good.

  31. Very useful post in a time of increased security issues. The Worpress tips are very useful. If possible I would love to see tips for Joomla as well.

  32. How upfront is WordPress in helping its millions of users identify and fix the error? Or, is it a scenario whereby calling overt attention to the error actually makes it more prominent on a hacker’s radar?

    Not to put WordPress on the spot, but are there any stats available to find out how many people may have been hacked as a result of this error? Thanks for providing a possible solution to make a hacker’s job that much more difficult.

  33. I often wonder how hackers figure out vulnerabilities in websites. The open path is something I’ve seen but never realized how it allows hackers to get in.

  34. What about those using windows hosting? There is no .htaccess

  35. Really a good tips, I think I have a similar situation, thanks.

  36. This is only too true it was a little too late for us but were all up and running. We had an attack on our Drupal site we were a little behind on the security updates. and what we didn’t know this was major. What caused the hack was an exploit very well known but we didn’t know about it since then anyway we always update as soon as the updates are available.

    prevention is definitely better than cure the Google videos help loads build a support team was the best advice for us

    http://www.google.com/webmasters/hacked/

  37. Matt thanks for very informative advice for wordpress user’s for configuring php.ini and .htaccess, will implement this on all my blogs now 🙂

  38. Thanks Matt, this will surely help many of us

  39. Hi Matt,
    Could you please consider to add categories for websites in Google webmaster tools just like DMOZ ?
    This way Google is better informed for which type of content a site should rank for and a site that is exploited with hacks to rank for gambling terms will not rank higher than sites with genuine content.
    E.g. : My site is gambling related so I add this category in GWMT. The schools and education websites that have been hacked lately by hackers will not opt for this category and therefore Google can easily see the mismatch for those created doorway pages. If sites not have opted in and rank for “exotic” phrases these should have a warning for “suspicious content found”.

    I am reporting 100s of these spam sites but I can’t spend all day monitoring the internet.
    My aim to get most of the spam out of the index.

    Just my 2 cents.

    Best Regards,
    Peter.

css.php