What is information disclosure?
Information disclosure, also known as information leakage, is the unintentional exposure of sensitive information. Sensitive information can be anything from technical information to business and user information that should not be publicly available.
Information disclosure is not a hack but can lead to one. More often than not, it happens due to a misconfiguration or a bug in the software through which information is leaked.
How does information disclosure happen?
Information disclosure can happen in a number of ways. Understanding how it happens is important as it enables you to understand what you need to look out for and how you can protect yourself.
Backup, unreferenced, and leftover files
Whether you’re getting some custom development done or had to take a backup when troubleshooting an issue, files often get left behind in places where they shouldn’t be. These files can sometimes end up in the hands of malicious users (for example through fuzzing), who might use them to learn more about your setup and understand where your website might be weak.
Backup files can also contain sensitive information, such as users’ information, further compounding the problem.
Bad configuration can happen for many reasons, including a poor understanding of the system being configured or taking shortcuts when fixing a problem (chmod 777, anyone? Refer to our WordPress files permissions guide for more information on what permissions best to assign). While these scenarios may quickly help you fix a problem, they might very well create an even bigger one.
Default configurations and leaving debugging switched on also fall into this category, and equally present considerable risks that can lead to information disclosure.
Bugs in the code can also open the doors to information disclosure. This can happen for various reasons, including poorly written software that did not undergo proper testing. While more often than not, application bugs do not fall within the remits of WordPress developers and website owners, choosing reputable developers can significantly help you mitigate the risk.
Why is information disclosure dangerous?
Information disclosure can be dangerous for different reasons, depending on the type of data leaked.
Leaked information can lead to direct threats like password leakage or database connection details, and indirect threats, such as information that allows unauthorized users to learn more about your infrastructure. You might also find yourself in breach of laws and industry regulations should user information be leaked.
The business might also suffer from loss of reputation, which can have long-lasting effects that are often difficult to recover from.
How to protect your WordPress website from information disclosure
There are several things you can do to protect your WordPress website from information leakage. The more things you are able to cover, the lower your overall risk of information disclosure (and other security considerations) will be.
Find and remove leftover files
Finding and removing leftover files on WordPress is not as daunting as you might think. There are a number of available tools that make the job easy, helping you ensure that these files do not end up leaking to the public domain.
Hardening WordPress, including changing default configurations, can protect you from information leakage and other types of security risks. To effectively harden WordPress websites, you need to look at the various components that make up WordPress and reduce the risks in each one.
Choose reputable plugins and themes
Choosing reputable WordPress plugins and themes can help you ensure that through testing was done before the plugin was released. While no system is perfect and some bugs may still be present, it considerably lowers the associated risk.