How to Safeguard Your WordPress Site by Disabling Directory Browsing

September 24, 2024 by Paul G. | Security, WordPress Solutions

Directory browsing is a feature that allows users to see a list of files and folders in a web directory if no index file (like index.php or index.html) is present. While this might seem harmless, it can be a significant security risk for your WordPress site.

When directory browsing is enabled, sensitive files like backups or configuration files can be exposed to unauthorised users. This visibility can be exploited by attackers to identify vulnerabilities in your plugins, themes, or even the WordPress core itself.

Maintaining privacy is essential for both site administrators and users, as unauthorised access to these files can lead to data breaches. Here we’ll guide you through the process of checking if directory browsing is enabled on your site and provide step-by-step instructions on how to disable it, either manually or by using a dedicated plugin.

How to check if directory browsing is enabled

Before taking steps to disable directory browsing, it’s important to check if it’s already enabled on your site. This can be done in two simple ways:

Check the /wp-includes/ folder. To do this, go to https://yourdomain.com/wp-includes/. If directory browsing is enabled, you’ll see a list of files and folders. If it is disabled, you’ll see a 403 Forbidden message.
Access your .htaccess file, which is located in the root directory of your site (usually in public_html). You can access it via your host’s control panel or through an SFTP client. Make sure to enable Show Hidden Files to view the .htaccess file. Look for the line Options -Indexes. If this line is not present, directory browsing is enabled.

Disable directory browsing using .htaccess

The .htaccess file is a configuration file used by Apache-based web servers (which means you can’t use this technique on nginx-based servers, for example) to manage various server settings, including security configurations for WordPress sites. Editing this file allows you to control aspects like URL redirects, access permissions, and more. However, incorrect edits to the .htaccess file can cause your website to malfunction. Therefore, it’s important to make a backup of the original .htaccess file before making any changes.

You can find the .htaccess file via your host’s control panel (such as cPanel) or an SFTP client, as we mentioned earlier. Follow these steps to disable directory browsing:

Right-click on the .htaccess file and press Edit.
Add the following line of code to disable directory browsing:

Options -Indexes

Save the changes to the file.
Check if directory browsing has been successfully disabled by attempting to access a directory on your site.

If directory browsing is disabled, you should see a 403 Forbidden error or a blank page instead of a list of files and folders. If the changes do not appear to take effect, try clearing your browser cache or checking the file permissions to ensure the .htaccess file can be read by the server.

Disable directory browsing using a WordPress plugin

Disabling directory browsing can also be achieved using dedicated plugins. The benefits of using a plugin include ease of use, as you don’t need to manually edit any critical files, and automated plugin updates.

Here are two plugins that can help you disable directory browsing:

Prevent Direct Access provides basic security features for file protection. Beyond the option to turn off directory listing, you can also use it to prevent right-clicking and saving as well as set a custom “No Access” page that doesn’t just display a 404 error.
Rank Math is primarily known for its SEO capabilities and allows users to edit the .htaccess file directly from the WordPress dashboard. By adding the Options -Indexes code snippet through Rank Math, you can disable directory browsing while also benefiting from its comprehensive SEO tools.

Using these plugins provides a hassle-free way to secure your site without needing to delve into server configurations or manual file edits.

Shield Security PRO Call-To-Action: Purchase

Beyond disabling directory listing: How Shield Security PRO secures your WordPress site

Shield Security PRO is an advanced security solution designed to provide protection for WordPress sites. Here are some of the plugin’s key features:

AI malware scanning: Shield Security PRO uses AI-driven malware scanning for real-time detection and reduced false positives. This proactive threat mitigation ensures potential threats are identified and neutralised before causing harm, providing full security for your site.

silentCAPTCHA: This powerful alternative to Google reCAPTCHA and CloudFlare Turnstile automatically detects and blocks bad bots without user interaction. It keeps your site secure from automated attacks while maintaining a great experience for legitimate users.
Advanced firewall protection: The plugin includes a customizable Web Application Firewall (WAF) that protects your WordPress site from a wide range of threats. It actively filters incoming traffic and blocks malicious requests, ensuring your site remains safe from various types of attacks.
Advanced 2FA: Shield Security PRO supports both Two-Factor Authentication (2FA) and Multi-Factor Authentication (MFA) for WordPress logins. You can set up various authentication methods, such as email, Yubikey, and Google Authenticator, to enhance login security.

Brute force protection: Brute force attacks attempt to discover login credentials by trying many different combinations. Shield Security PRO actively monitors failed login attempts and can automatically ban suspicious IP addresses and usernames that exceed a certain threshold, effectively preventing unauthorised access.
File Locker: The File Locker feature scans your WordPress installation for critical files like index.php, wp-config.php, and .htaccess. Users are notified whenever a modification is made to these files, ensuring unauthorised changes are quickly identified and addressed.
Import/export capabilities: Shield Security PRO allows users to easily transfer security settings between different WordPress sites. This is particularly convenient and time-saving for managing multiple sites, ensuring consistent security settings across all installations.
Exclusive customer support: Shield Security PRO offers exclusive customer support to its users. Having assistance readily available provides peace of mind, knowing that any security concerns or issues can be quickly resolved by a dedicated team of experts.

Take action: Secure your WordPress site today

Disabling directory browsing is essential for WordPress security as it prevents unauthorised access to sensitive files and reduces potential site vulnerabilities. Leaving directory browsing enabled can expose important files and provide attackers with information to exploit your site.

While you can use the .htaccess file to disable directory browsing, this method carries a high risk of error, so a plugin is highly recommended. Two come recommended – Prevent Direct Access and Rank Math. Combine these with Shield Security PRO and you’ll gain a comprehensive suite of advanced security features, protecting your site against a multitude of threats.

Secure your WordPress site across the board by trying Shield Security PRO today!

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials

@fencepost

Been working well for years

I’ve been using it for years and have always found it to be solid and helpful. It’s one of the very first things I install on any WordPress installation I do. I’m using some but not all of the features. The only thing I’d like to see added is some…

@newheart

Great Plugin

Great Plugin! Does as advertised. Stops nasty things from happening to your site.

@webmatpro

Thanks, awesome

Fully and awesome, thanks 🙂

@liujunjie688

good so far

I was previously using Wordfence which was causing high IO and Memory usage during its periodic scans which seemed to hang part way through. I’ve no such issue with Shield plugin. I can’t comment on the spam filter as I’m using the alternative, but good that there is no conflicts…

ESSENTIAL WORDPRESS SECURITY NEWS

Get ShieldNOTES, our excellent weekly WordPress security newsletter!