Bug description
Directories under the WordPress content path (/content/plugins/, /content/themes/, /content/mu-plugins/, /cms/wp-content/) respond with HTTP 200 and a blank page instead of 404.
This happens because:
- These directories contain
index.php files ("Silence is golden") that exist on disk
- The web server (Apache/Nginx) serves them directly without going through the framework, due to
RewriteCond %{REQUEST_FILENAME} !-f / try_files
- The result is a blank 200 response, which is an information leak (confirms directory existence) and looks broken
Reported in Pollora/pollora#182.
Expected behavior
Any request to a directory path that isn't a valid WordPress/Laravel route should return 404.
Proposed fix
Two-layer approach:
1. Skeleton .htaccess (Apache)
Add a rewrite rule before the standard Laravel rules to force directory requests under content/ and cms/wp-content/ through the front controller.
2. Framework middleware (server-agnostic)
Add a middleware in the framework that detects requests targeting existing directories (not files) and returns 404. This ensures protection regardless of web server configuration (Apache, Nginx, Caddy, etc.).
Affected versions
All versions — this is a structural issue with the Bedrock-style layout where wp-content is under the public docroot.
Related
Bug description
Directories under the WordPress content path (
/content/plugins/,/content/themes/,/content/mu-plugins/,/cms/wp-content/) respond with HTTP 200 and a blank page instead of 404.This happens because:
index.phpfiles ("Silence is golden") that exist on diskRewriteCond %{REQUEST_FILENAME} !-f/try_filesReported in Pollora/pollora#182.
Expected behavior
Any request to a directory path that isn't a valid WordPress/Laravel route should return 404.
Proposed fix
Two-layer approach:
1. Skeleton
.htaccess(Apache)Add a rewrite rule before the standard Laravel rules to force directory requests under
content/andcms/wp-content/through the front controller.2. Framework middleware (server-agnostic)
Add a middleware in the framework that detects requests targeting existing directories (not files) and returns 404. This ensures protection regardless of web server configuration (Apache, Nginx, Caddy, etc.).
Affected versions
All versions — this is a structural issue with the Bedrock-style layout where
wp-contentis under the public docroot.Related