The reason why WordPress has taken the lead as a great CMS platform is that it is open-source and available to everyone. Anyone interested in how the platform works have easy access to the system code and know what goes on behind the curtains.
However, this level of openness also introduces potential security challenges. Malicious users can easily exploit vulnerabilities in your core files, themes, and plugins to hack your website.
One of the ways hackers can access this information is through your website directory listing, which means internet users are able to view and browse the folders and files that make up your website. Therefore, you should consider disabling the directory listing on your website in addition to other WordPress Security Practices.
In this guide, you will learn why you need to disable directory listing and how to do so.
- Why is It Important to Disable Directory Listing?
- First Step – Check if Directory Browsing is Enabled on Your Website
- How Do I Disable Directory Browsing in WordPress?
- What Next After Disabling Directory Browsing on Your WordPress Site?
Why is It Important to Disable Folder Browsing?
An improperly configured server makes your WordPress directory or folders visible to the public if they know where to look. Attackers know how to find this information and can browse through your WordPress files and folders.
Your WordPress folders contain every information about your Website. This includes all the files and media you use, your WordPress themes, plugins, and other settings and configuration. Think of your WordPress folder as the hard drive on your computer.
Hence, if an attacker has access to these files, they have a wealth of information on you and can use it to access the admin area. Equally, if your WordPress blog themes and plugins have any known vulnerabilities, they can explore this vulnerability to disrupt your website’s functionality or steal personal information.
So to add an extra layer of security to your website, you need to disable directory listing or folder browsing.
We always recommend taking additional precautions to secure your website against malicious attacks. WordPress being a popular platform, is a target for hackers, so your site is a preferred target.
But this shouldn’t be a cause for worry. The WordPress teams employ the best security measures to keep you secure. And we have listed other security practices to protect your WordPress blog against attackers, as well as a list of 8 recommended WordPress Security Plugins. In addition to these, we will show you how to disable directory browsing.
First Step – Check if Directory Browsing is Enabled on Your Website
Before you begin, we recommend confirming that you actually have this problem. To do this, add /wp-includes to your website’s domain name.
If directory listing is enabled on your website, you can see the list of the files within this folder, as shown below.
If this is the case for you, then let’s jump into how to fix it.
How Do I Disable Directory Browsing in WordPress?
This section walks you through the steps to disable directory listing on your website. Let’s jump in.
1. How to Disable Directory Browsing via cPanel
If your WordPress hosting platform supports cPanel or a similar hosting panel, disable directory browsing via the file manager.
So to get started, log in to your cPanel account, scroll to the ‘Files’ section, and click on File Manager.
Here, locate the directory containing your website files. For our example, this is the ‘public_html’ folder. Once you’ve located the folder, right click on it. From the context menu that appears, click Manage Indices.
This allows you to customize what will happen when no index file exists in a directory. The index file is what causes a webpage to be displayed instead of allowing the directory to be listed.
So to prevent directory listing, select ‘No Indexing’, and hit the Save button.
This will prevent folders that do not contain index.html or index.php files from displaying on your front end when a hacker tries to access them.
To confirm that this setting has been applied, you should try reaccessing your folders. Do this by going to https://yourdomain.com/wp-includes. You should encounter a 403 (Forbidden) error, as shown below.
But if this doesn’t work for you, or your hosting provider doesn’t offer cPanel, we’ll walk you through how to edit your .htaccess file with a WordPress plugin to achieve a similar result.
2. Disable Directory Browsing With Htaccess File Editor Plugin
To protect your folders without using the cPanel File Manager app, you will need to edit the .htaccess file to include a rule that automatically adds an index file to your folders. We’ll use the “Htaccess File Editor – Safely Edit Htaccess File” Plugin to do this.
To install this plugin, login to your WordPress admin dashboard and go to Plugins >> Add New.
Using the search bar, search for “Htaccess File Editor”.
Now, hit the Install Now and Activate buttons consecutively to enable the plugin on your website.
Using the WP Htaccess Editor
After activating the plugin, go to Settings >> WP Htaccess Editor to access the plugin’s settings page.
Because the .htaccess file is such an important file that defines essential rules for your website directories, an editing mistake can make your website inaccessible.
Therefore, we recommend backing up this file before continuing with this step. This way, you can revert to the last working version if there is a mistake.
The plugin automatically performs a backup to your website folder before allowing you to edit the .htaccess file. And you can always access it via the ‘wp-content’ folder on your hosting dashboard. You’ll find these backups at ‘/wp-content/htaccess-editor-backups/’.
Once you access your .htaccess backup file, you can simply edit it to correct the error. Likewise, if you can still access your admin area after an error. Simply hit the Restore Last Saved Backup below the .htaccess text editor. This will restore your website to a working state.
Let’s go back to editing the file. Scroll down, you will notice that the editor is overlaid with a red cover. Click the I understand. Enable the editor button to begin editing.
At the bottom of the file (after the last line), enter the following line of code:
And hit the Save button.
Now, confirm again that your folders are protected by adding /wp-includes to your website URL. It should be protected, as seen below.
I Encounter an Error after Editing .htaccess File
If you encounter an error, you should check the file for a typo. To be sure, you can delete the line you added and copy and paste it exactly as it appears above. the command should be the last in the file.
If you have made a mistake preventing you from accessing your admin area, you need to manually edit the file.
If you can access cPanel, simply log in to your dashboard and go to Files >> File Manager.
Within the ‘File Manager’, locate the root directory containing your website files and double-click to open it. Within this folder, locate your .htaccess file, right-click on it, and select Edit.
You will see a warning to perform a backup before continuing. Click Edit again.
Now, you can edit your .htaccess file to include the correct code. Once done, click on the Save Changes button.
What Next After Disabling Directory Browsing on Your WordPress Site?
Having successfully disabled directory browsing on your WordPress website, you can rest assured that hackers can no longer view site directory files in your server.
In addition to protecting your website folders, you can take further steps to harden your website against security threats. Please read our complete guide on WordPress security to learn how to do this.
And here is an additional resource to help you – Best WordPress Security Plugins to Stay Protected.