Directory browsing is a feature that allows users to see a list of files and folders in a web directory if no index file (like index.php
or index.html
) is present. While this might seem harmless, it can be a significant security risk for your WordPress site.
When directory browsing is enabled, sensitive files like backups or configuration files can be exposed to unauthorised users. This visibility can be exploited by attackers to identify vulnerabilities in your plugins, themes, or even the WordPress core itself.
Maintaining privacy is essential for both site administrators and users, as unauthorised access to these files can lead to data breaches. Here we’ll guide you through the process of checking if directory browsing is enabled on your site and provide step-by-step instructions on how to disable it, either manually or by using a dedicated plugin.
How to check if directory browsing is enabled
Before taking steps to disable directory browsing, it’s important to check if it’s already enabled on your site. This can be done in two simple ways:
- Check the
/wp-includes/
folder. To do this, go to https://yourdomain.com/wp-includes/. If directory browsing is enabled, you’ll see a list of files and folders. If it is disabled, you’ll see a 403 Forbidden message. - Access your
.htaccess
file, which is located in the root directory of your site (usually inpublic_html
). You can access it via your host’s control panel or through an SFTP client. Make sure to enable Show Hidden Files to view the.htaccess
file. Look for the line Options -Indexes. If this line is not present, directory browsing is enabled.
Disable directory browsing using .htaccess
The .htaccess
file is a configuration file used by Apache-based web servers (which means you can’t use this technique on nginx-based servers, for example) to manage various server settings, including security configurations for WordPress sites. Editing this file allows you to control aspects like URL redirects, access permissions, and more. However, incorrect edits to the .htaccess
file can cause your website to malfunction. Therefore, it’s important to make a backup of the original .htaccess
file before making any changes.
You can find the .htaccess
file via your host’s control panel (such as cPanel) or an SFTP client, as we mentioned earlier. Follow these steps to disable directory browsing:
- Right-click on the
.htaccess
file and press Edit. - Add the following line of code to disable directory browsing:
Options -Indexes
- Save the changes to the file.
- Check if directory browsing has been successfully disabled by attempting to access a directory on your site.
If directory browsing is disabled, you should see a 403 Forbidden error or a blank page instead of a list of files and folders. If the changes do not appear to take effect, try clearing your browser cache or checking the file permissions to ensure the .htaccess
file can be read by the server.
Disable directory browsing using a WordPress plugin
Disabling directory browsing can also be achieved using dedicated plugins. The benefits of using a plugin include ease of use, as you don’t need to manually edit any critical files, and automated plugin updates.
Here are two plugins that can help you disable directory browsing:
- Prevent Direct Access provides basic security features for file protection. Beyond the option to turn off directory listing, you can also use it to prevent right-clicking and saving as well as set a custom “No Access” page that doesn’t just display a 404 error.
- Rank Math is primarily known for its SEO capabilities and allows users to edit the
.htaccess
file directly from the WordPress dashboard. By adding theOptions -Indexes
code snippet through Rank Math, you can disable directory browsing while also benefiting from its comprehensive SEO tools.
Using these plugins provides a hassle-free way to secure your site without needing to delve into server configurations or manual file edits.
Beyond disabling directory listing: How Shield Security PRO secures your WordPress site
Shield Security PRO is an advanced security solution designed to provide protection for WordPress sites. Here are some of the plugin’s key features:
- AI malware scanning: Shield Security PRO uses AI-driven malware scanning for real-time detection and reduced false positives. This proactive threat mitigation ensures potential threats are identified and neutralised before causing harm, providing full security for your site.
- silentCAPTCHA: This powerful alternative to Google reCAPTCHA and CloudFlare Turnstile automatically detects and blocks bad bots without user interaction. It keeps your site secure from automated attacks while maintaining a great experience for legitimate users.
- Advanced firewall protection: The plugin includes a customizable Web Application Firewall (WAF) that protects your WordPress site from a wide range of threats. It actively filters incoming traffic and blocks malicious requests, ensuring your site remains safe from various types of attacks.
- Advanced 2FA: Shield Security PRO supports both Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) for WordPress logins. You can set up various authentication methods, such as email, Yubikey, and Google Authenticator, to enhance login security.
- Brute force protection: Brute force attacks attempt to discover login credentials by trying many different combinations. Shield Security PRO actively monitors failed login attempts and can automatically ban suspicious IP addresses and usernames that exceed a certain threshold, effectively preventing unauthorised access.
- File Locker: The File Locker feature scans your WordPress installation for critical files like
index.php
,wp-config.php
, and.htaccess
. Users are notified whenever a modification is made to these files, ensuring unauthorised changes are quickly identified and addressed. - Import/export capabilities: Shield Security PRO allows users to easily transfer security settings between different WordPress sites. This is particularly convenient and time-saving for managing multiple sites, ensuring consistent security settings across all installations.
- Exclusive customer support: Shield Security PRO offers exclusive customer support to its users. Having assistance readily available provides peace of mind, knowing that any security concerns or issues can be quickly resolved by a dedicated team of experts.
Take action: Secure your WordPress site today
Disabling directory browsing is essential for WordPress security as it prevents unauthorised access to sensitive files and reduces potential site vulnerabilities. Leaving directory browsing enabled can expose important files and provide attackers with information to exploit your site.
While you can use the .htaccess
file to disable directory browsing, this method carries a high risk of error, so a plugin is highly recommended. Two come recommended – Prevent Direct Access and Rank Math. Combine these with Shield Security PRO and you’ll gain a comprehensive suite of advanced security features, protecting your site against a multitude of threats.
Secure your WordPress site across the board by trying Shield Security PRO today!