[Defender] Defender added a blank index.php file

I got an alert that a new file was added. "wp-content/uploads/sites/2/wp-defender/index.php". It's blank. Is this a normal thing or should I delete it?

  • Adam Czajczyk

    Hello Gregory

    I hope you're well today and thank you for your question!

    Yes, that's perfectly fine. The /uploads/..../wp-defender folder is where our Defender plugins is storing some logs. An empty "index.php" file typical to WordPress and is a common "security" practice.

    The point is that it's PHP "executable" index file so it's a first file that gets automatically executed by the server whenever a given folder is accessed directly. In other words, if somebody types in something like:

    yourdomain.com/wp-content/uploads/site/2/

    directly in the browser address bar such an access attempt should automatically be rejected by the server. However, some servers do not do this and instead just list all the files in the folder - which is a security breach of course.

    Such behavior can also often be prevented - if server allows it - via a .htaccess file but an empty "index.php" is a "last line of defence" here, in case nothing protects directory listing, that file will be executed instead and just serve a blank page.

    Best regards,
    Adam

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.