Hello,
I scanned my WordPress website with https://wpsec.com/ and scanner found below security Vulnerabilities:
When I click on the links then it shows me web directories like below:
Are they Vulnerabilities and Must I change Apache settings?
Thank you.
Are these considered Vulnerabilities?
Re: Are these considered Vulnerabilities?
WordPress is probably one of the most scanned web applications for vulnerabilities
you MUST keep it updated and it´s plugins as well
you MUST keep it updated and it´s plugins as well
Re: Are these considered Vulnerabilities?
No expert on this, but I think it's default to
list files when there's no index.html file in
a directory. You could try to remove "Indexes"
from the Options line in httpd.conf.
list files when there's no index.html file in
a directory. You could try to remove "Indexes"
from the Options line in httpd.conf.
Re: Are these considered Vulnerabilities?
Which part of the file?
And my Virtual Host is:
Code: Select all
ServerRoot "/etc/httpd"
ServerName www.example.net
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin root@localhost
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/var/www/html"
<Directory "/var/www">
AllowOverride None
# Allow open access:
Require all granted
</Directory>
# Further relax access to the default document root:
<Directory "/var/www/html">
Options FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
# You need to enable mod_logio.c to use %I and %O
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
</IfModule>
#
# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/var/www/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
</IfModule>
Code: Select all
<VirtualHost *:80>
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
ServerAdmin root@localhost
ServerName www.example.net
ServerAlias www.example.net
DocumentRoot /var/www/WP
<Directory "/var/www/WP">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
ErrorLog /var/log/httpd/WP_error.log
CustomLog /var/log/httpd/WP_access.log common
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.net [OR]
RewriteCond %{SERVER_NAME} =www.example.net [OR]
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
Redirect permanent / https://www.example.net
TraceEnable off
ServerSignature Off
RequestReadTimeout header=20-600,MinRate=500 body=20,MinRate=500
</VirtualHost>
Re: Are these considered Vulnerabilities?
Code: Select all
<Directory "/var/www/WP">
Options Indexes FollowSymLinks
AllowOverride all
Require all granted
</Directory>
Re: Are these considered Vulnerabilities?
Thank you.tunk wrote: ↑2020/11/16 11:09:30Code: Select all
<Directory "/var/www/WP"> Options Indexes FollowSymLinks AllowOverride all Require all granted </Directory>
I used "Options -Indexes +FollowSymLinks" and I have a question. It will apply to all sub-directory too?