can anyone explain how can we secure any wordpress based website from google dorking? the wordpress website enables REST api like any other websites and it shows a JSON file always now the point is how can we secure website from google Dorking from exposing personal information eg. pdf files and db password or wp-config.php file information etc. is there any specific official wordpress patchset available for this?

google dorking

can anyone explain how can we secure any wordpress based website from google dorking? the wordpress website enables REST api like any other websites and it shows a JSON file always now the point is how can we secure website from google Dorking from exposing personal information eg. pdf files and db password or wp-config.php file information etc. is there any specific official wordpress patchset available for this?

google dorking

• google-search

• 1 google dorking can only expose information that has been exposed, it's just another way of saying "we looked in the google cache". Google dorking can't unlock hidden things that aren't publicly accessible, for wp-config.php to be readable via google dorking you would need to expose your wp-config.php file to the world and be sure the google bot crawled it. It isn't a magic hacking tool that has dedicated prevention measures – Tom J Nowell ♦ Commented Feb 26, 2022 at 14:14
• so simple 0444 on wp-config.php and 0444 on .htaccess would be enough then? or is there any more factor that we must consider? do we need to perform any extra security-related tasks for REST API's JSON responses too? – CADENTIC Commented Feb 26, 2022 at 14:20
• 1 if you can load and view your wp-config.php and .htaccess files in the browser then Google is the least of your worries, this suggests a major server misconfiguration that is not normal. If you cannot load and view your wp-config.php file in the browser then there is no problem here and you're being paranoid ( you're probably being paranoid ). Google Dorking cannot show you things that just loading it in the browser shows you. It is literally just loading a past version of the page from google cache – Tom J Nowell ♦ Commented Feb 26, 2022 at 14:25
• I am more concerned about the part do we need to perform any extra security-related tasks for REST API's JSON responses rather than filesystem-based permissions. I keep them as per recommendations always. REST APIS's JSON responses can be loaded in the browser though i guess. – CADENTIC Commented Feb 26, 2022 at 14:30
• the REST API has nothing to do with file permissions, no JSON files are generated or downloaded, it's JSON text output in the same way that archives are text based HTML output. Open up your server via FTP or SSH, you will not find any JSON REST API files or a wp-json folder – Tom J Nowell ♦ Commented Feb 26, 2022 at 16:35

1 Answer 1

There is an extremely high chance that this article is stoking the paranoia. It's correct but only in the strictest of senses. In practicality it's just a fancy name for "when you leak things that aren't meant to be public, people who saw it might tell you if you ask them", but specifically Google.

Google dorking is just a fancy name for "searching the google bot cache". It cannot reveal data that has never been made publicly available on your site, and it is not a secret backdoor to uncover previously unavailable secrets.

can anyone explain how can we secure any wordpress based website from google dorking?

Don't expose confidential information, and when it is exposed notify those affected as you're required to be law/regulations. Invalidate change or revoke anything that does get leaked. This is no different for things in google cache or just if there's a security breach on your site.

the wordpress website enables REST api like any other websites and it shows a JSON file

No JSON files are involved in the REST API, just like there is no file for each blog post.

always now the point is how can we secure website from google Dorking from exposing personal information eg. pdf files

Google dorking can only expose information that has already been exposed. If that data is exposed then it is already too late. Otherwise you need to ask in a Google community how to remove search results.

and db password or wp-config.php file information etc.

This would only happen if you had suffered a massive security breach. If this happened you would need to change all your database details immediatley and reset all passwords. You can't just hide secrets, once they are out it is too late and they must be changed.

If at any point your wp-config.php is being served as a text file and not a PHP file then you have suffered a major security breach and must notify your host, invalidate the database details, fix the problem, then apply new details once it is re-secured. It is not possible to get the contents of wp-config.php via google dorking unless you have suffered this kind of breach.

is there any specific official wordpress patchset available for this?

No, and asking for one doesn't make sense because there is no vulnerability to fix. Short of just blocking Google and disappearing from search results.

Google Dorking is not a way to exploit code to reveal secrets, it's just a fancy name for browsing cached data from Google. It's like asking if there is a patch for WordPress that fixes the way back machine