I wonder, how websites like https://wpsec.com can find my wordpress themes and plugins.
When I tried to access the directory mydomain.com/wp-content/themes/my-theme, I got 404 but how do they get this.
Are my firewalls and security malewares plugins are useless?
After thinking about this my conjecture on how this works is this:
Almost all plugins/themes have .css and/or .js files. For plugins these are stored in the plugin's installation directory - .../wp-content/plugins/some-plugin-directory. The URLs of the HTTP requests for these would look this - httpx://some.host.com/wp-content/plugins/some-plugin-directory/js/some-javascript-file.js. From these requests wpsec can extract 'some-plugin-directory' which is what WordPress uses to identify a plugin. If the plugin is in the WordPress repository then wpsec can download the entire plugin and provide more information. If the plugin is proprietary then wpsec probably only has access to the publicly accessible .js and .css files. On my installation I have a proprietary plugin and wpsec found the installation directory - 'some-plugin-directory' but did not report the version probably because it cannot access the readme.txt or any of the .php files. So, if this conjecture is correct if a plugin only has PHP i.e. no .css, no .js and also no images stored in its installation directory then wpsec should not be able to detect it. Of course the same reasoning applies to themes.