: Are indexed Wordpress admin pages a security threat? Because it was blocking Googlebot from accessing important files, I recently updated our /robots.txt file and removed most of it, including
Because it was blocking Googlebot from accessing important files, I recently updated our /robots.txt file and removed most of it, including wp-admin.
Now, the people on charge of hosting and SEO stuff sent me an email warning that some of the admin pages are indexed by Google and that I must disallow the wp-admin. For security reasons.
But I don't get it, why is this a security issue? Isn't a potential attacker already aware of such files since Wordpress is pretty common and standard?
More posts by @Si4351233
5 Comments
Sorted by latest first Latest Oldest Best
If I was running wordpress, then I will not block anything with robots.txt, because it prevents Google for crawling, not for indexing. Just search on Google "Google analytics Web", and you will see link which is blocked in robots.txt, but still it is exist in search result.
And by default, Assets files like css, js and images are stored in wp-admin directory, so it will cause error to render correctly for Google spider.
And, there are so many Google dork to find out bulk wp-admin pages in Google search result, and your site will be visible if you just using robots.txt for prevent.
I suggest use only noindex meta tags in wp-admin.
And here many of people talk about security, but Google can't crawl password protected directory.
Extra note: Don't use both. I mean if you block wp-admin directory in robots.txt, then Google will never know, you have placed noindex meta tags in wp-admin, because they follow robots.txt first then meta tags on webpages.
Security issue? Doubt it. It just makes your site more visible to people who likes to attack wordpress sites. Other than the visibility everything is the same, security through obscurity is not something you should rely on anyway.
Useless? Definitely. There is no reason to allow indexing of your admin login in your site. You don't want your users finding a link to your admin when they are actually searching for your content. The only person who should care about that is the site admin.
When a new bug is found, in this case in wordpress, the first thing hackers will do is try to find vulnerable sites that use wordpress. A good way of doing it is trying to find wp-admin pages on google. Maybe will even use automated tools to find-and-exploit sites based on that.
Avoiding that would be the main security reason for doing it. If you have no public sign that you are using Wordpress (or at least not the most common ones like this), you are less likely to be a randomly chosen as target for an attack.
Google doesn't want to index non-content pages including admin pages and pages that ask you to login. Putting wp-admin in robots.txt is better for SEO because it will usually prevent the page from being indexed.
It is possible that an attacker will do a Google for all sites that have wp-admin in the URL. Keeping that page on your site out of the Google search results will make it less likely for an attacker to find your site.
wp-admin on wordpress is direct entry to your admin panel. That's why google wants you to disallow it. And... in this case, listen to google and srsly, disallow it. It's good practice :)
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.