A lot has been talked about how the “out of the box” Wordpress search functionalities are… well, not the best.
Most wordpress developers know it and that´s why we tend to avoid it installing alternative search plugins. Other developers, as they do not need search functionality , simply do not put the search box or icon anywhere, but…
Is this just enough to cover a potentially hidden security (or at least privacy) flaw?
I will tell you my story, so you can bring out your own conclusions.
Some months ago, while checking the Analytics data in one of my staging websites, I saw a strange (and undesired) behavior. One user was browsing pages of the website which were not supposed to be available to the public.
Admittedly, it was not an important website, a simple test blog without any special security measures in place, no membership plugins etc. The only thing I had done to avoid such accesses was not to link these pages internally, or anywhere for that matter.
Those pages were not indexed by search engines, and there was no search bar in the website.
Then, why was the user there? How had he found that page?
Digging in a bit I saw that what the user was doing was very simple:
- First of all, although there was no search bar in the website, he took advantage or the search capabilities included in WordPress by default. In particular he was just typing the following in the browser’s address bar:
http//www.mydomain.com/?s=download .
This address could have shown all the pages and posts in the domain with a “download” in the content… As it was a simple blog, with no downloads, there were no results (but showed what the user was looking for).
- Then, as the user was not satisfied with the results, he tried something simpler:
http//www.mydomain.com/?s=p
This search shows all the pages and posts in the domain with a “p” in the content… almost everything even they are not linked from anywhere.
- Finally he read what he wanted and left the domain without doing any harm.
In our real production sites he wouldn’t have been able to access anything we didn’t want him to anyway, as we protect all our contents with Digital Access Pass, but we understand that is not the case for everyone, and we still see some webmasters relyin solely on weird urls like www.mysite.com/15gd45we and so on to try and “hide” their downloads.
I investigated the (simple) solutions that could have been done to avoid such not desired actions.
- First of all, if we do not need search capabilities the best is to eliminate them. This can be done via some free WordPress plugins or by some simple code changes. It is easy to find just googling “Disable search in wordpress”
- Sometimes, when search functionalities are needed we have to install another search plugin (and check the same problem is not there!!)
In our case, although we did not need search functionalities we followed the second option.
- We installed relevanssi plugin. This plugin has the option to exclude a category from search results so…
- Secondly, we created a new category (named “Not in search Results”) in which we could categorize all the articles and pages we did not want to be displayed in our site’s search results.
- Finaly we categorized all those articles and checked it. Done!!
If you have arrived here you will see we are only offering a simple solution for a hidden problem, but do not forget that, usually, simple security issues are the hardest to detect and identify!
1 Comment
[…] The WP built-in search could compromise our private content, as we see in this case study. What can you do if you simply do not need to use it? […]