How To Disable Directory Listing In WordPress?

This article will walk you through directory listings, how their visibility can risk your WordPress website security, and ways to disable directory listings.

Whenever you browse WordPress, you will most definitely find that WordPress is associated with the word “security. And it’s not quite a surprise to a lot of people. Why? Because many WordPress websites often get targeted by hackers. Although WordPress is a safe CMS, the websites get attacked because of the security mistakes users make, like ignoring to disable directory listing.

One of those security neglections is enabling the directory browsing of your website. Doing this can gain a lot of attention from attackers, and you must disable directory listing as soon as possible. I wouldn’t be surprised if the words why and how are popping up in your mind. Worry not because I will provide the answers for you. In this article, you will learn how directory browsing can make your site vulnerable and the ways to disable directory listings.

How To Disable Directory Listing In WordPress

Why Do You Need To WordPress Disable Directory Listing?

Before we get into the why part of this article, we must know what a directory listing is. Directory listing is a list of all the files, folders, and directories present on a web server. Moreover, if your website does not have an index page, your web server will display all the contents of your website directories by default.

Usually, the content that the user generates will go to the wp-content folder, while the files of wp-admin/wp-includes are within the WordPress core.

Furthermore, the wp-contents directory listings have information on your website themes, plugins, and media files. Although directory listing itself isn’t a vulnerability, displaying its contents will be a liability.

Also, it allows hackers to sniff out the details(like versions) about plugins/themes and find a backdoor through them. The best way to secure a website is by not disclosing any information that might benefit a hacker.

A hacker or anyone can view its content easily if the directory listing is enabled, using the following URLs.

  • http://www.anywebsitename/wp-content/uploads/

However, disabling directory listings will render useless the hackers’ attempts.

You can use the URLs to check if directory browsing is viewable on your website. If so, you can follow the steps in this article to remedy that. 

How To Disable Directory Listing Of Your WordPress?

In this session, you will learn two ways to disable directory listing. The first one is through the WordPress .htaccess file, and the other method is by using the Hide My WP security plugin.

Using The WordPress .htaccess File To Disable Directory listing:

Disclaimer: Editing the htaccess file without caution will cause a website to break. It is crucial to back up your WordPress website before tinkering with the htaccess file.

Now, follow these steps to disable the directory browsing option:

  1. Firstly, you should connect your website to the web server through FTP.
  2. Browse for your website root directory and look for the .htaccess file.
  3. Sometimes, you might be unable to see the .htaccess file right away because it is a hidden file. In that case, make sure that the show hidden files option is enabled on your FTP client.
  4. Later, download your .htaccess file onto your computer. It is a safe practice to keep another copy of this file. If your attempts risk the website, you can replace it with the backup copy of your .htaccess file.
  5. Open the downloaded file on a text editor; the most commonly used is the notepad(you can choose the one that suits you best).
  6. Now, add the code “Options -Indexes” at the bottom of the file.
  7. Add the modified .htaccess file to your root directory.
  8. Check if it works with the help of URLs I’ve mentioned earlier.
  9. If it works, people trying to access your directory listings page will see a WordPress 404 page instead.

Before the editing, the .htaccess file code will be like:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

After the code, the modified file code will be like:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Options All -Indexes

Using The Hide My WP Security Plugin To Disable The Directory Listing:

Many users don’t feel confident editing the .htaccess file, which is understandable. Hence, you can choose from many plugins available to make things easier for you.

The Hide My WP is a security plugin that will help protect your website from many threats. Further, it has an option that will allow you to hide the directory listings of your website. The following steps will walk you through the process of hiding your directory list:

  • Install the Hide My Security plugin.
  • You can use this guide to set up the plugin: How To Install And Setup Hide My WP Security Plugin?.
  • Later, go to the settings section under the Hide My Security plugin.
  • Then, select the “Hide” section of the settings.
  • Now, scroll down until you find the “directory list” option.
  • Check the box to this option to disable the directory lists and other text files.
disable directory listing using HMW
  • Save the settings. Now you are done with disabling the directory listings.

Here are some features of the Hide My WP security plugin that will help protect your website from web attacks:

Hide my WP - WordPress Security Plugin-1
  1. The Hide My WP security plugin will help you hide the default Login Page of your website. Doing this will help escape brute force attacks.
  2. Also, you can use the firewall of the plugin to block modern-day attacks like XSSSQL injectionCSRFCommand Injection, and many more.
  3. It will block spam and give you all-day protection. 
  4. With the help of this plugin, you can change permalinks easily.
  5. Change any elements like text/URLs of your website source code with this plugin.
  6. Moreover, this plugin will help hide the default WordPress paths like /inc, /inc/themes, /ext, /inc/uploads, /other, etc.

Summing It Up

Hackers can manage to attack websites in a plethora of ways. They do it by exploiting the vulnerabilities of your websites. There are various ways for them to figure out the security loopholes of your websites. 

One of those ways is by directory browsing. Attackers can find information regarding plugins/themes through it and find backdoors to creep into your website.

The obvious way to prevent that is by disabling the directory listings. But there are two ways to d it. One is by adding a snippet of code to your WordPress .htaccess file, while the other way is to use the Hide My WP Security plugin.

If you haven’t already, use this article as a reference to disable directory browsing of your WordPress website.

Also Read: What Is WordPress Timthumb Hack & How to Fix It?