Skip to content

Protect Your Blog’s Root Access Folder at All Costs!

Protect your blog's root folderMy kids have been using computers since they were old enough to figure out a mouse. This was way back before mobile devices like iPhones and iPads. I taught them safe user habits and monitored their use. One day I was sitting with my son and he clicked on a flashing ad that was, to his six year old mind, quite enticing. I quickly explained why he was not allowed to do that: He didn’t know where he’d end up and it was possible that some of those links led to sites that would corrupt the computer. He burst into tears and said he didn’t know and I thought he was stupid. I reassured him that I did not think he was stupid and that lots of people do it when they first start using the internet (again, this was a long time ago — the Stone Age of Internet). I told him it was my job to guide him and not clicking on those types of links was an important lesson.

I told you that story so I could tell you this: In the past week or two, I and several of my friends, have received a phishing email offering $200 for access to our root directories so a footer script can be installed on our websites. This footer script is presented as being an ad of sorts. My initial reaction to these types of emails is to just delete them. This one, though, made me really angry because these people are preying on bloggers who may be enticed by the $200 price tag and not know the dangers of sharing access to their blog’s root folder. When you start blogging — especially if you are blogging with the intent of making money — it’s easy to be sucked in by these types of offers. You need to be aware of why this is a bad idea.

Before I go further, let me define two terms:

Phishing emails: These are emails that ask you for access to something (like your blog’s root directory or your bank account) or information about something (like your social security number or other personal information). You’ve probably heard about the various “princes” in Africa that would love to share their riches with you, but they just need to transfer some of the money to you and could you please share your account information. Bad idea, right? Just as you wouldn’t share your bank account access, personal information, or passwords, you should never EVER share access to your root directory (unless you’ve hired a professional developer that you’ve researched thoroughly; there are always exception to the rule — the point here is not to share with a stranger).

Root directory: When you have a self-hosted blog like WordPress.org, your files reside on the server you pay for (e.g., Host Gator). The main folder on that server — the one that holds ALL of your blog files like posts, design, images, etc. — is called the root.

Here is the email my friends and I received (I tried to respond and the email associated with this message bounced):

Hi,

i need this type of placement could you do this?

1. We will provide php file with plugin source code
2. Webmaster will need to FTP to root folder of blog, then open folder
wp-content/plugins
3. Webmaster will need to create folder ‘footerlinks’, then enter that folder
and upload php file that we provided
4. Webmaster will need to log into blog admin area, click ‘Plugins’ in left
menu, click ‘Installed’ in submenu, find plugin named ‘Footer Links’ and click
‘activate’ link
5. After that links will appear at the bottom of the blog like here
[redacted] see our links in
footer.Very simple work just 1,2 minut only,Our links show on your old ABOUT
PAGE.

i can give you $200 for uploading our php file for 1 year time period only.

Let me know are you agree if you agree then send me paypal id please.

Waiting for your Answer

Thanks
[redacted]

There are two red flags in this email: broken English and poor grammar. I’m not implying that all messages from non-native English speakers are bad. I receive legitimate questions from people all over the world that have broken English or poor grammar. What makes this email different is the information they’re asking for. If you give someone access to your root directly, they essentially own your website or blog. They can install corrupt content (like a virus) or they can completely hijack your blog and lock you out. Your website belongs to them.

That’s it. I just wanted to alert you to about emails that may seem like a good idea because they offer money, but are really asking for more than you may think. Not my strongest closing paragraph, but there you go.

3 thoughts on “Protect Your Blog’s Root Access Folder at All Costs!”

  1. Thanks melanie,i always enjoy your post this is another eye opener as i often receive messages asking for such information although i don’t always pay attention to it but i now know it is a fragment of those million online scams.anyway thanks for sharing.

  2. Hi Melanie,

    you have mentioned very nice points, once the guys will get the access to root folder means they will gain access to full blog. They can change/rename any of folder, even they can delete your wordpress files, they can also see wp config file and then will get access to database also.

    So hell in any condition, we should not give access to root folder of our hosting.

    Hope your mail will help all newbies in acknowledging about wp root folder.

Comments are closed.