MyBB Community Forums

Is there a way for a normal user to be able to see what plugins are being used? There are a few I don't want the average user to know about, so they need to be hidden.

There is not, at least directly. They can guess basing on extra public files your plugin is using (such as images or files outside the plugins directory), but generally speaking they should not be able to track your plugins down.

Not directly no. however if you go to http://yoursite.com/inc/plugins/myplugin.php, plugin files will generally have code that outputs a message saying "this file cannot be accessed directly", which obviously exposes the file's existence. This is why I tend to make my plugins send a 404 header instead, so you don't know if it's there or not.

tl;dr is technically they can if they try hard enough.

(2016-09-12, 11:41 AM)Matt Wrote: [ -> ]Not directly no. however if you go to http://yoursite.com/inc/plugins/myplugin.php, plugin files will generally have code that outputs a message saying "this file cannot be accessed directly", which obviously exposes the file's existence. This is why I tend to make my plugins send a 404 header instead, so you don't know if it's there or not.

tl;dr is technically they can if they try hard enough.

I never thought to do that.  Thanks for giving me an idea to improve my plugins.

Yes, there are ways to figure it out.

Some plugins require some sort of credit in a footer. Regardless of this, a hacker could attempt to hit the more popular plugin files as mentioned by Matt.

(2016-09-12, 11:41 AM)Matt Wrote: [ -> ]Not directly no. however if you go to http://yoursite.com/inc/plugins/myplugin.php, plugin files will generally have code that outputs a message saying "this file cannot be accessed directly", which obviously exposes the file's existence. This is why I tend to make my plugins send a 404 header instead, so you don't know if it's there or not.

tl;dr is technically they can if they try hard enough.

Right on, how would I do that without messing up the plugin and be sure it sends a 404 instead of an accessed denied?

Is it something with file permissions?

(2016-09-12, 11:41 AM)Matt Wrote: [ -> ]Not directly no. however if you go to http://yoursite.com/inc/plugins/myplugin.php, plugin files will generally have code that outputs a message saying "this file cannot be accessed directly", which obviously exposes the file's existence. This is why I tend to make my plugins send a 404 header instead, so you don't know if it's there or not.

tl;dr is technically they can if they try hard enough.

That is interesting Matt, I will follow this convention on my forums

Basically, most plugins will have this in it:

if(!defined('IN_MYBB'))
{
	die('This file cannot be accessed directly.');
}

Then when you visit it in your browser, it would just say "This file cannot be accessed directly.", but you know it exists.

If you do this instead:

if(!defined('IN_MYBB'))
{
	header('HTTP/1.0 404 Not Found');
	exit;
}

You'll get the same 'not found' error or page as if you went to a truly non-existent file, but you have no idea the file actually exists.

Would probably want to do the same for language files too - they don't output anything but you'd get a white page if you went to one directly.

Could probably do it via htaccess too... if the URL path contains "inc/plugins" or "inc/languages", show a 404.

Lots of ways Not saying any of them are bulletproof but if it's a plugin that has no other visible signs it's installed on the forum, it should be fairly good at stopping people knowing it's there.