Spy on Your Competitor - Find Out What WordPress Plugins They’re Using

With most installations of WordPress there comes a small security flaw that potentially could be exploited but in most cases it’s harmless. This is not a new trick and it’s nothing illegal to do but usually you can find out exactly what plugins other WordPress blogs are using. This simple way of sniffing out one’s plugins is basically done by browsing directly to their plugin folder.

Here’s how you’d do it.

1. Find a site that runs WordPress (it’s usually easy to spot them) and figure out where their WordPress installation is located. If you view the source, just look for /style.css and you’ll find their /wp-content/themes/ directory.
2. Copy that path and instead of /themes, put in /plugins. The final url that you’ll construct will be something like http://www.competitor.com/wp-content/plugins
3. Paste that url in your browser and you’ll quickly find out if they’ve taken any steps to hide their plugins. If not, you’ll see something that looks like this:

Now you can see exactly what plugins they’re using. There’s really no harm in knowing this but there’s a chance someone could exploit their blog. Say for example, one of the plugins like “wp-grins” has a security hole. Now you know this site runs it and you can launch an attack. There’s never been any cases that I’m aware of and that’s probably why the WordPress developers haven’t done anything about it.

It’s also a good way to figure out what certain plugin a site is using so you can get it for your own site. I’ve done this a few times in the past when I stumble upon a site with some cool features. How I’ve done this is by usually just viewing the source, looking for their .js or .css files and then searching Google by that name.

Is Your WordPress Blog Secure?

Now that you’ve had fun browsing someone else’s plugins folder, it’s time to try your own. If you’re able to see your plugins via a browser, then I’d recommend tightining up your security. The easiest way is to create a blank index.html or index.php file and put it directly in your plugins directory. This will make it so a blank page will load instead of the directory itself.

Another way to block people is by turning off directory browsing which is a web server configuration. It’s more involved and technical vs the quick and easy blank index.html file.

I hope you’ve had fun and in the process and tightened up your own blog’s security. You can never be too safe!

If you like this post then please consider subscribing to our eBlog Templates RSS feed. You can also subscribe by email and have new templates and articles sent directly to your inbox.