1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to protect your WP blog and profit from snoops at the same time!

Discussion in 'Blogging' started by bl4ck1ce, Apr 3, 2009.

  1. bl4ck1ce

    bl4ck1ce Regular Member

    Joined:
    Oct 28, 2008
    Messages:
    234
    Likes Received:
    77
    Occupation:
    Web Design & Marketing
    Location:
    British Columbia, Canada
    There have been quite a few people on BHW lately asking about how to hide your WP plugins directory. Why would you want to do this? There's a couple of reasons, one being the desire to protect your 'trade secrets', but the other one is security. Chances are if a cracker is determined enough they will probably find some way to harm your blog if they want to. However, you don't need to make it easy. I'll walk you through the setup of a little trick that I use to not only secure my blogs by hiding the plugins I use, but also make a bit of extra cash from the people who are snooping!

    If you go to /wp-content/plugins on your WP blog, chances are you'll see something that looks like this:

    [​IMG]

    That looks pretty innocent, but it also shows exactly what plugins I'm using on that particular blog. What if there happened to be an exploit for one of the plugins, such as the cache plugin, or db-backup? Not good.. I've actually had one of my blogs hacked because of a bad plugin before, which is when I started hiding my plugin directories.

    What we're going to do, instead of making a blank or 'Access Denied' page, is create a FAKE plugins page. Here's how we do it. Go to ClickBank, E-Junkie, etc and find a few WP plugins that have affiliate programs. Note this isn't WP plugins for affiliate programs, you're looking for commercial plugins that cost money and have an affiliate program you can sign up for. Pick a handful, and get the affiliate links for them. On ClickBank you'll create hoplinks, on other sites you'll be provided with a direct link.

    [​IMG]

    Create folders and rename them to the plugins that you've created the affiliate links for. It doesn't matter if you don't know what the actual plugin folder's name is on the real deal, you just need to make it look convincing. Look at the plugins directory on your blog to get an idea of what the folders look like.

    [​IMG]


    Create an index.php file in the folder, and do a php refresh to the affiliate link that corresponds to that folder. Repeat this for each of the affiliate links you've collected.

    [​IMG]

    Once that's done, upload these folders to your /wp-content/plugins folder. These new folders will now look the same as your actual plugins, but the problem still remains that people can see which plugins you're using. Go to File> Save Page As (in Firefox, I forget what it is in IE..) and save the file as index.php.

    [​IMG]

    Open this file in your favorite text editor (I use TextPad, it's nice for code.. but any text editor should work) and you'll see this:

    [​IMG]

    You'll see a listing of both your actual plugins, as well as the fake ones you've just created. There's a problem with the fake ones however, they all have exactly the same date/time of creation, and that looks a little fishy. In the example I'm doing right now, the fake plugins all say April 2, 2009 at 9:02pm..

    [​IMG]

    I fixed this by copying the date/time info from my actual plugins to replace the April 2, 2009 timestamp on the fake ones, and then deleted the lines for the real plugins. I left Akismet because that one is well known, and if it's seen there then a snooper might not catch on right away that the plugin list looks suspicious.

    [​IMG]

    This is the finished file. I saved the file, and then uploaded it to my wp-content/plugins folder... now when you try to view the plugins in use on that blog, you see what appears to be an innocent directory listing, but every link (aside from Akismet) is an affiliate link. You may decide to not include a live plugin in your spoof list, that's up to you.

    [​IMG]

    Hope you found this tutorial helpful!

    Thanks for reading!
     
    • Thanks Thanks x 9
  2. JonesersRX7

    JonesersRX7 Regular Member

    Joined:
    Mar 24, 2009
    Messages:
    201
    Likes Received:
    154
    Wow - while I won't be taking the time to do this. The walk through with the screen shots was top notch.

    Awesome man.

    Would be curious to know if there was a specific way to tell when someone views the page tho. Hmm...

    - J
     
  3. bl4ck1ce

    bl4ck1ce Regular Member

    Joined:
    Oct 28, 2008
    Messages:
    234
    Likes Received:
    77
    Occupation:
    Web Design & Marketing
    Location:
    British Columbia, Canada
    yes, you can use google analytics or another stat tracker to monitor views of the spoof plugins listing

    As for the time required, the blog I set this up on for the example took about 25 minutes, would have been less but I was taking screenshots and writing text while I was doing it. Also, it's a one-shot deal... after you have it done once you can re-use the same code on other blogs.
     
  4. contentRus

    contentRus BANNED BANNED

    Joined:
    Mar 19, 2009
    Messages:
    64
    Likes Received:
    13
    hehe... awsome method ! I have to admit though many people knew how to do this but that commision plugins is a good Idea but what honestly are the odds that people buy them lol! those autoblogger probably would go around searching on warez site and stuff to get it free!
     
  5. bl4ck1ce

    bl4ck1ce Regular Member

    Joined:
    Oct 28, 2008
    Messages:
    234
    Likes Received:
    77
    Occupation:
    Web Design & Marketing
    Location:
    British Columbia, Canada
    This and another small monetization trick I did have made $61.50 since Dec, I think it's worth the 20 minutes it took to set up.. not a lot, but basically free money. Your call though. :)

    p.s. I really can't fault people for searching warez sites for commercial plugins, that's where I get them. lol
     
  6. Malthooslie

    Malthooslie Newbie

    Joined:
    Mar 7, 2009
    Messages:
    11
    Likes Received:
    2
    As far as using analytics goes, if you use regular Google Analytics, it will show up in the "page source" view of the spoofed plugins page.

    If a cracker thinks something is up, they will likely view source and see the Javascript.
    A way you could avoid this is to use PHP (since it's an index.php file), and just use PHP to grab their IP and append it into a text file with time/data, or you could actually access a simple table in MySQL to track the same stuff. If they forgot to use proxies, then you could figure out their ISP and stuff, and even track back who they are, if you feel devious.
     
  7. Warbucks

    Warbucks Junior Member

    Joined:
    Apr 6, 2009
    Messages:
    171
    Likes Received:
    209
    Occupation:
    Mogul.
    Location:
    Stately Warbucks Manor
    This never occurred to me, I have directory listings turned off globally in lighttpd and nginx. I like this a lot better :)

    Looks like I've got some work to do.
     
  8. Sylvester

    Sylvester Newbie

    Joined:
    Feb 22, 2009
    Messages:
    35
    Likes Received:
    1
    Dude, all you need to do is create an empty text file named index.txt then rename it index.html and upload it to the plugin directory. That's it.

    No one will see your plugins.

    You can do this for any directory you want to hide.

    I suppose you can even make it a "working" html with links so it looks like a directly but meh.
     
    Last edited: Apr 7, 2009
  9. crashed

    crashed Senior Member

    Joined:
    Aug 13, 2008
    Messages:
    958
    Likes Received:
    1,201
    Occupation:
    Guru-slayer
    Location:
    Behind the VPN...
    Home Page:
    How about giving a upload and go file set where we just need to change our affiliate links? :p