One of the ways we see plugin developers try to stop improper access to files generated by their WordPress plugin is to restrict direct access to the files over the Internet through the use of access restrictions placed in a .htaccess file (as the was the case with a vulnerability we disclosed last week). The problem with this is that this only works if the website is hosted on a web server that utilizes .htaccess files. While they are used by the most popular web server Apache, they are not used by the Nginx, which along with Apache is recommended for use with WordPress, or Microsoft’s IIS, which WordPress supports with its own release of WordPress.

It isn’t clear how widespread usage of different web servers is on websites running WordPress since the WordPress statistics page doesn’t include a breakdown of that. Looking wider, Netcraft found in April that 46% of active websites were using Apache, 20% using Nginx, and 9% were using IIS. [Read more]