Wordpress - Should Plugin Folders Include a Blank index.php File?
No, they should not. If a plugin has vulnerabilities just because someone might see its directory structure it is broken. These bugs should be fixed.
Security through obscurity is a bug for itself.
It’s up to the site owner to allow or forbid directory browsing.
A second issue is performance: WordPress scans all PHP files in a plugin’s root directory to find plugin headers. This allows you to have multiple plugins under the same directory, eg /wp-content/plugins/wpse-examples/
.
It also means that unused PHP files in that directory are wasting time and memory when WordPress is searching for plugins. One file will not do much harm, but imagine this is getting a common practice. You are creating a real problem in an attempt to fix a fictional.
I am going to say YES. Security through obscurity works if you're more obscure then your neighbors :) (joking but there is some truth to that).
The reality is that the bots/scanners now compile the plugin lists right off wordpress.org and crawl the plugin url's directly, fingerprinting versions for known exploits and keeping the info in a database for reference.
So which one would you rather have, a bot not being able to gather info on your install, or leaving it up to the plugin author to make sure you're secure. How about both.
ps. On a side note there were 186 reported exploits from wordpress.org plugins last year .(*reported..).