Stop Plugin Enumeration [closed]

There is no need to stop “plugin enumeration”, just use plugins from a good home and make sure you have restrictive file permission setting on your server.

In theory you can use htaccess to mask the original location of the plugin on the disk and write some code to serve any JS and CSS file as if they are located at some other directory, but this depends on the way the plugin works, some plugins might work while some might fail.

But in the end if a plugin gives admin credentials to everyone that surfs to example.com/?admin=me then the bad guys don’t even need to enumerate the plugins on your site, they will just go directly to that url.

Related Posts:

  1. Will WordPress username displayed somewhere in the site?
  2. What security concerns should I have when setting FS_METHOD to “direct” in wp-config?
  3. What Are Security Best Practices for WordPress Plugins and Themes? [closed]
  4. Are WordPress Plugins essential?
  5. I found this in a plugin. What does it do? is it dangerous?
  6. What are the common security flaws I need to look for? [closed]
  7. Disabled plugins are they security holes – rumor or reality?
  8. What could a hacker do with my wp-config.php
  9. How Can I Securely Implement a Password-less Login Feature?
  10. Security and .htaccess
  11. Why “Contact Form 7” doesn’t update PHPmailer library?
  12. Are there procedures to prevent malicious plugin updates?
  13. Secure WordPress paid plugin
  14. How to make media upload private? [duplicate]
  15. Does WordPress contain “default” anti-SQL injection code that responds with a 404 error?
  16. What does a security risk in a plugin look like?
  17. WordPress Capabilities: edit_user vs edit_users
  18. Should we use plugins that aren’t available from the official WordPress site?
  19. How to check plugins for malicious code?
  20. How to properly secure my WordPress installation?
  21. Why allow overriding crucial pluggable functions wp_verify_nonce and wp_create_nonce?
  22. Where should my plugin POST to?
  23. Security error WP 4.0 + WP phpBB Bridge [closed]
  24. Should I install plugins to my WordPress installation from web sites having in URL “nulled” or, “null”?
  25. Disabled plugins are security holes – rumor or reality?
  26. Why am I sometimes getting a 404 error when I try to update a page with Elementor?
  27. Should I use RIPS tool to test my themes and plugins?
  28. Prevent Brute Force Attack
  29. Why users disable the WordPress update?
  30. How many security plugins are too many? [closed]
  31. Upgrading WordPress 4.0 asks for FTP password
  32. Is revealing just the AUTH_KEY a security issue?
  33. How Restrict access to admin dashboard by specific static ip?
  34. How to add a privacy-checkbox in comment-template?
  35. When is it useful to use wp_verify_nonce
  36. Protecting against malicious code in WordPress plugin updates
  37. Questions about brute force attacks on the admin username, coming from amazon IP addresses
  38. Why Better WP security plugin returns 418 I’m a Teapot “error”?
  39. How to expire all wordpress user passwords instantly?
  40. How to limit WordPress pages during updates?
  41. How to make my plugin GDPR compatible?
  42. rms_unique_wp_mu_pl_fl_nm.php
  43. Weird problems after recovery from security breach
  44. How can we deal with unmaintained plugins with vulnerabilities?
  45. Security issues with WP sites
  46. Security checking in meta_box save is reluctant?
  47. Escape when echoed
  48. Should you escape hardcoded URLs?
  49. Preventing BFA in WordPress without using a plugin
  50. How can I make uploaded images in the editor load with HTTPS?
  51. How to stop xmlrpc attacks without disabling component to allow JetPack to work in WordPress?
  52. How To Clean The Malware Infected & Hacked WordPress Websites? [duplicate]
  53. WordPress filter that hook after each action/filter hook
  54. How to delete Passwrd Protected posts cookies when a user logged out from the site
  55. The safest way to automate WordPress backups
  56. wp_create_nonce function doesn’t work inside a plugin?
  57. Does WordPress validate inputs to all functions? (such as get_user_meta and insert_user_meta)
  58. Upgraded to latest version – 3.0.3 and Now I get a “sufficient permissions to access this page” error
  59. Headers Content-Security-Policy CSP Major Issue
  60. How to block plugin activations with no known user or coming from unknown IP address range?
  61. Nonce failing on form submission
  62. Check for security updates
  63. Standard Fail2Ban vs. WP Fail2ban vs. WP Fail2Ban Redux
  64. Why can’t I access my Intranet LDAPS with NADI?
  65. Malicious File Upload [closed]
  66. Malware installation during plugin update?
  67. Hack-Proof OR Security in WordPress — is it real?
  68. I should enable automatic updates?
  69. Can some vulnerabilities in plugins be exploited even when the plugin is inactive?
  70. Security and Must Use Plugins
  71. Is Timthumb still broken? What security measures should be taken?
  72. Prevent direct access to WordPress plugin assets?
  73. Is it safe to use admin-ajax.php in the frontend?
  74. How to protect WordPress from security scanner [closed]
  75. Specific way to allow WordPress users to view their current password? And edit it?
  76. Too many login attempts
  77. Is there any pre-existing plugin to track and block IPs with suspicious activity on my site?
  78. How to prevent plugins from sniffing/stealing other plugins’ options?
  79. Website show Google Ads when we have no Google Ads linked to our website
  80. Vulnerability Concern From the Plugin or From Not Updating the Plugin?
  81. Custom API plugin to execute 3rd party API to retrieve data
  82. How to deal with Slow HTTP POST (slowloris) vulnerability
  83. Running multiple security plugins
  84. how do I secure my WP website from hackers? [closed]
  85. Chrome Dev Tools console says every page in my blog has link to http://maps.google.com [closed]
  86. Webservice credential storage [duplicate]
  87. Regarding plugin security
  88. How do I determine if the user who registered is not spam?
  89. If I use an alternative login (e.g. CAS or other SSO) plugin, is my site protected from the recent brute force login attempts?
  90. Is this plugin safe to run?
  91. Is the Block Bad Queries Plugin Still Relevant?
  92. WP Insert Post If user refreshes override new post
  93. 404 errors when updating options in admin dashboard
  94. Website Captcha Error: The reCAPTCHA wasn’t entered correctly
  95. Hide plugins and theme from public
  96. WordPress search shows protected content
  97. Security of a WordPress Plugin
  98. Can I disable xml-rpc by setting it to false?
  99. How can I disable new plugin and theme install, but allow updates?
  100. Help to Create a Simple Plugin to make a post
Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)