Disable Directory Browsing WordPress
Table of Contents [TOC]
Being the most popular blogging platform, WordPress is the potential target of every smart actor looking for vulnerable WordPress websites.
In this post you will learn
A) How to secure your sensitive WordPress site directories by disabling Directory Browsing via .htaccess file.
B) How to Password protect Apache web directories using htaccess.
C) Best WordPress plugins to disable directory listings
Why Disable Directory Browsing in WordPress?
On WordPress, user-generated content is supposed to go into /wp-content while other file names and directories (content inside /wp-admin, /wp-includes) are mostly static and predictable as they belong to the WordPress core.
Therefore, Directory listing inside /wp-content can help you enumerate uploaded media files (/uploads), themes (/themes) and most importantly plugins (/plugins).
By revealing this info you will make an attacker’s job easy to see which version of plugins, themes etc are installed and hence can find attack vector pretty easily and might even help him to pinpoint his attack. In general, it’s a good practice to not have any directory traversal to increase the difficulty of an attacker.
Try running WP Hacked Help WordPress security scanner against the site and analyse the results. Our scanner database contains a list of vulnerabilities and it checks against interesting directories as well.
If a person is trying to browse through your WordPress files , it is a big security loophole that lets a hacker break into the WordPress easily. By default, folders like wp-content or wp-includes contain sensitive data, any web user can view the files present in your WordPress installation.
You can check if the default settings for your directory browsing are enabled All you have to do is type the URL to your blog’s “Uploads” directory into the address bar of a web browser.
For instance – Let’s say that the url of your website is www.example.com . You simply need to type the following in your browser’s address bar:
or http://example.com/wp-includes/ (where example is the name of your WordPress site).
If you see a list of files in search results, it simply means directory browsing is enabled on your WordPress website which is definitely not a good sign. It can reveal a lot of information about your website. A hacker can easily view the uploads directory and add any malicous code which may lead to malware infection on your site such as wordpress malware redirect.
Apart from this, plugin directory is also not safe anymore. All the plugins available on your WordPress installation are exposed. Hence, breaking into your website is not at all difficult for them. Outdated plugins are easily vulnerable and can serve as open doors into your blog’s Dashboard and file system.
You can clearly see in the image given below – BEFORE – The directory browsing was enabled on WordPress blog – AFTER the directory browsing was disabled on WordPress blog
How to Disable Directory Browsing in WordPress using .htaccess?
Now that you know the consequences of enabled directory browsing, you may want to know how to disable it. It’s not as simple as it seems. In order to disable directory browsing in WordPress installation, simply follow the following set of instructions in your .htaccess file:
- First open any of file transfer programme like FTP or SFTP to connect to your website. Look for a file called .htaccess. If find, download it on your PC. If you didn’t find the file, it may be possible that the file is hidden.
Now what you have to do is log out of programme you used. Set a “remote file mask” of -a within the options in the program. Login again and now try to search for .htaccess file again.
You can also use CPANEL File Manager and make sure you already select the option for “show hidden files”. Once you locate the file through any of the methods, download the .htaccess file from your wordpress home directory to desktop.
- If still, you are unable to find any .htaccess file in the main web directory, you can create one.
- Now, create two backup of .htaccess file on your own computer. One will be used to modify the settings and other will be kept for backup in case you accidentally make an error.
- After you managed to have these backups , open one of the file with Notepad or its higher version i.e. Notepad++.
- Now save the file as it is under the name “.htaccess.backup” in order to keep backup of original file. Make sure you change the file type to “All types”.
- Next, open the other file in same tool i.e Notepad.
- Now add the below mentioned piece of code just above the #END WordPress line:
Options - Indexes
And your final .htaccess will look like this:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L] RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L] </IfModule>
# END WordPress
Options All -Indexes
Hit the ENTER key after placing this code so that it ends with a blank line.
- Once you add this line to the already existing code, again save the modified .htaccess file.
- Now again open your FTP program or CPANEL’s File Manager utility to upload the edited .htaccess file to your WordPress home directory.
- Upload your wordpress in a web server to check if you have made the changes rightly.
- Now again verify if the directory browsing is successfully disabled or not by using same url. If you see an error “404 – File not Found” instead of files list, it means your wordpress installation is free from directory browsing loophole. Now hackers won’t be able to exploit any of insecure files from exposed directories.
You can find more .htaccess security snippets here.
Disable Directory Browsing WordPress Plugins
From now onwards, if you create a new directory on your WordPress website, make sure you place an “index.html” file in it to avoid directory listing for all your visitors. You can also install WordPress plugin to disable directory browsing and thus, improve the security of your WordPress website.
WP safely disable directory browsing:
This essential .htaccess rules plugin is an open source software for WordPress users that enables you to restrict the browsing through web directories by disabling directory browsing automatically whenever a new directory is created.
Hide My WP – WordPress Security Plugin:
Using this plugin, you can easily hide WordPress common paths and URLs to increases the security of your WP against any web exploit.
AB WP Security:
This plugin is specifically designed and developed to protect your website against a number of security loopholes. It disables directory browsing and restricts the viewers of your site from viewing the content of directories on your website.
Disabling directory browsing is one of the most undermined security measure among most webmasters. This may lead to acknowledge hackers about the themes and plugins used in the website and hackers are able to effortlessly exploit outdated ones and break into your website. Many a times people simply forget about it which makes the job for the hacker a lot easier.
Disable Directory Listings Plugin
Prevent virtual directory listing services from listing the contents of directories, and/or show a page in place of a directory’s listing. This plugin can prevent visitors from seeing the contents of certain (or all) directories on your site (assuming your web server generates virtual directory listings). It also allows you to use a WordPress page as the index for a directory
By default, the following directories are protected:
- wp-includes/
- wp-content/
- wp-content/plugins/
- wp-content/themes/
Find the image below for more information on How to disable directory browsing in apache configuration.
Password protect Apache Web Directories using .htaccess
How Can We Help?
If you find it difficult to edit your .htaccess file, WP Hacked Help has solution for every WordPress problem. With its compelling WordPress security services, you don’t need to worry about your WordPress website at all. Additionally, we provide complete protection against a number of malware infections and web exploitation like brute force attacks, pharma hacks, site phishing, website redirects etc to make your WordPress website free from future hacks and risks.
