By default most webservers like Apache, NGINX and LiteSpeed have directory browsing enabled.

It simply means that people can view the content of the individual folders (directories) in your website.

From a security standpoint you don’t want this happening since you don’t want people to look around your site structure.

Hackers can easily find potential exploits in themes and plugins by sniffing through those files.

In this short tutorial, we’re going to show you how to disable directory browsing in WordPress using the .htaccess file. For the purpose of simplicity, the terms directory and folder are used synonymously in this tutorial.

Let’s get started…

If you open the following link and find a bunch of files, then it means that directory browsing is disabled in your server.

Link: http://yoursitename.com/wp-includes/ (where yoursitename is the name of your WordPress site).

If the above link contains a list of folders, then this means directory browsing is enabled.

If directory browsing is enabled, it will look something like this:

The Risk Of Leaving Directory Browsing Enabled In WordPress

We’ll show you how to get that disabled to prevent any potential security issues.

Some background information on index files

If a folder contains an index.php or index.htm or index.html file, then the webserver by default, runs or loads that file when someone enters that folder.

So if someone were to view the files in a directory and an index.php/html file was there, then it wouldn’t be possible since the webserver would call the respective PHP or HTML file.

If the index.php/html file weren’t there, then anyone could list the content of the directory.

The base directory refers to the default directory of your web server. All proper websites have an index.php or index.html file in their base directory. Check your own website, you’ll find that the base folder contains an index.php file if you’re using WordPress (or any other CMS) or an index.html file if you’re using a basic HTML template.

So why disable directory browsing?

Some WordPress folders like wp-content or wp-includes contain sensitive data that isn’t required for prying eyes. As you know, the wp-content folder contains your themes, plugins and media uploads.

Anyone can simply surf through those media files and hackers can find potential exploits. So yes, in a way, you’re making the hacker’s job easy by not disabling directory browsing.

How to disable directory browsing in WordPress

Disabling directory browsing in WordPress or any other CMS or website for that matter requires access to the base directory via FTP or some file manager like cPanel.

There are various free FTP clients that will help you here, a good option is FileZilla.

You simply need to create an .htaccess file with the following line of code in it:

Options All -Indexes

Then upload the file back to the respective folder. This is a very general overview of the process. In most cases, you might already have a .htaccess file present inside your WordPress installation directory. It is created when you had changed the permalink settings.

Be very careful – do not overwrite this file, or else you’ll lose all your permalink and other security settings.

If you already have a .htaccess file present, first create a backup. Then, open it in Notepad (or any plain text editor) and paste the following line in the end:

Options All -Indexes

In general, most .htaccess files contain the following code:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

The modified code will look like:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Options All -Indexes

Save the file, and upload it back in the same directory you downloaded it from, this time overwriting the file. If anything breaks, replace it with your backup file and try the process again.

Once you disable directory browsing, you all those directories that were previously visible now redirect you to a 403 Access Forbidden or a 404 Not Found page. In either case, it works.

I tried the tutorial on my WAMP setup and it worked like a charm!

Forbidden Error Message Shows Success Of Disabling Directory Browsing

Conclusion

Disabling directory browsing is one of the most undermined security countermeasures among most webmasters. Most of them simply forget about this loophole which makes the job for the hacker a lot easier.

As a practical example, the following is a picture of one of my client’s sites before I applied the fix. As you can see, anybody could browse the media uploads anytime they wanted – even ones that were uploaded, but never displayed in the actual site.

Directory Browsing Example

I hope I’ve been able to communicate the importance of disabling directory browsing and how to go about doing it.

Posted by Sourav Kundu

Hi there! I'm Sourav. I dig comedy, WordPress, computers and tea - CWCT if you will. I can also write clean, precise copy for your projects. Portfolio is under construction. You can reach me on Twitter @Souravify.