How to Disable Directory Browsing in WordPress?
We love WordPress because it is awesome and yes we know you love it too. So we must secure its content or files, thus no one can steal any valuable information from our website.
Hackers around the world looking for vulnerabilities in outdated websites with themes & plugins, weak login credentials, coding malfunction or any hosting issues. Most of the cases this happens with WordPress websites. As a WordPress admin, you should aware of all common vulnerabilities already exists.
One of the vulnerabilities is directory browsing in WordPress. Today we will share you 5 best ways to disable directory browsing in WordPress or hide WordPress directory.
What Is Directory Browsing?
Sometimes you see some list of files and folders when you are accessing a website using a web browser. Directory browsing is a list of files and folders of a website instead of a webpage you normally browse. It happens because of many reasons.
If you don’t have an index file (index.html, index.php, etc) on your WordPress site directory, the web server automatically displays an index page with your WordPress site files and folders. When a webserver gets a request to access a web page, it can prioritize which web pages to display.
Most of the cases index.php is the main index file of a WordPress site. Absence of the index.php file could end up with listing all the directories, files, folders contents on web servers root.
You should make sure that the WordPress directory disabled already, or it can be a hacker’s playground to play with.
Why WordPress Directory Disabled Is Important?
As said earlier, if you don’t have an index page or not disabled directory browsing in WordPress, it will allow all users to easily see all the contents of your website. They can see which WordPress themes and plugins you are using, get an idea of how you had set up your website structure.
Revealing all the information could give hackers additional benefits to find vulnerabilities on WordPress themes, plugins or any files. They can see and download any files from there. Also if your other WordPress security is not enhanced it will be really easy to hack and stolen your website.
Disabling directory browsing in WordPress can solve the issue and enhanced WordPress security. So disabling WordPress directory browsing is must & very important for site security, but hide WordPress directory won’t do all. You should check other WordPress security factors to make it safe.
How To Check Directory Browsing Is Enabled Or Not?
Sometimes using some plugins like Yoast SEO, WP Rocket, Wordfence automatically disable directory browsing in WordPress. Still, if you want to check its already disabled or not, do the following tests.
For instance, let’s say your website is: www.abc.com. Now simply type the following URL on your browser.
www.abc.com/wp-content/uploads
www.abc.com/wp-includes
www.abc.com/wp-content/plugins/ or www.abc.com/wp-content/themes
Now if you can see the list of files and folders of your website, that means it directory disable is enabled which is not good. By default wp-contents and wp-includes contains sensitive data of each WordPress installation.
Let’s see how to fix this problem easily. We will show you how to disable directory browsing in WordPress using .htacees file from Cpanel.
How to Disable Directory Browsing in WordPress using .htaccess?
Now you are aware of the consequences of enabling directory browsing in WordPress. Looking for solutions on how to fix it? There are many ways to fix it. Apply the method which is comfortable for you.
Disable Directory Browsing In WordPress Using .htaccess
The easiest way to do this using .htaccess file. There are many plugins that exist (we discuss it later on) which help you to do this with a click, but we don’t recommend that.
What you have to do is, add a small 1 line of code to your .htaccess file, and it will disable directory browsing in WordPress. Take a backup before you edit .htaccess file.
Log in to your web hosting server or Cpanel then navigate to the file manager. Make sure to check the show hidden file button to see any hidden files (like .htaccess file).
Go to your root directory, find the .htaccess file and open it in edit mode.
After opening .htaccess file add the following rules to the top of the file.
# Disable Directory Browsing
Options All -Indexes
By default WordPress .htaccess file only has the following code:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
IfModule>
# END WordPress
Just add the above code and finally, .htaccess file will look like:
Options All -Indexes
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
IfModule>
# END WordPress
That’s it. Now save the file and close it. You have successfully disabled directory browsing in WordPress. Let’s check if the directory is hidden or not.
Go to your browser and again type the following URL as above.
www.abc.com/wp-content/uploads or www.abc.com/wp-includes
Either you got the forbidden no access page or page not found error. That means you have disabled directory browsing successfully.
Disable Directory Browsing In WordPress Using Plugins
Beginners are really fond of using plugins to make it easy. Thus there are many plugins out there to help you out. Let’s see which are those.
Disable Directory Listings Plugin
You can use disable directory listing plugin to prevent virtual directory listing from your secure content directories.
After installing and activate the plugin it will automatically apply the changes and gives you default 404 error page whenever you are trying to access directory listing. Note: this plugin only works with the apache server.
WP Safely Disable Directory Browsing Plugin
WP safely disable directory browsing plugin is an essential .htaccess rules plugin allow you to improve the security of your WordPress blog.
Yoast SEO Plugin
Already you have WordPress SEO by Yoast plugin? Then navigate to SEO >> Edit Files and you can edit .htaccess file from there. Just add the following lines to the file and you are done.
Options All -Indexes
WP Rocket
Hide WordPress directory using WP Rocket plugin too. With install and activate it will automatically enable the security features and restrict users to access directory listing.
Conclusion
It’s not a necessary step in some cases, but we would highly recommend you to apply this to add an additional layer of security. Take a backup of your .htaccess file before making any changes.
The most effective way to disable directory listing in WordPress using the small code in .htaccess file. Try to avoid using the plugin, it can load your server with extra space. Although some plugins are old enough to break your site, so take a backup before doing it.
So that’s how we stop WordPress directory browsing in our sites. Now your website is secured too.
Don’t forget to comment below if you have any other issues related to it. We will definitely try to solve your problem using all our resources. Till then check out some helpful articles related to it.
