How to Disable Directory Browsing in WordPress?

One way to boost the WordPress security is to disable directory browsing in WordPress.

Typically, the webserver has disabled directory listing by default. But sometimes, the case could be different, and the directory could become accessible with this URL.

http://www.yoursite.com/wp-includes

At that moment, it becomes critical to disable the directory from the WordPress site.

In this short blog post, I will tell you what directory browsing is, why it is a security concern, and how you can overcome it.

What is Directory Browsing in WordPress?

WordPress runs on the PHP server. It includes PHP, an operating system, database, and a webserver.

The database is where the site’s data is located. Every site needs a source for data. 

Now, a directory is a location where the files are stored. For WordPress files, a directory can be found in the database. Typically they will be in the hierarchical file system for the ease of navigation.

These directories should be hidden and restricted to public users due to security issues. 

Though, due to incorrect server configuration, directory browsing gets unlocked in WordPress. When that happens, anyone can browse the directory files of the websites.

Why should you disable directory browsing in WordPress?

The directory may contain sensitive information that hackers could use to take control of the website.

The wp-content directory has all information about the themes you are using, plugins, configurations and other information.

Anyone can surf the files and find the information that could help the hackers to exploit the website.

Also interesting looks like they didn’t disable directory browsing… pic.twitter.com/R8txyqZu1d

— Sean Wright (@SeanWrightSec) June 10, 2020

After disabling it, no one can access it.

How to disable directory browsing in WordPress?

In this article, I will tell you three easy to follow methods to disable directory browsing.

1. Disable directory browsing with WordPress Plugin
2. Disable directory browsing with cPanel
3. Disable directory browsing with .htaccess

Disable directory browsing with WordPress Plugin

Like every WordPress function & task, there are WordPress plugins to restrict the directory browsing for the public.

Most of the WordPress plugins to disable directory browsing are not up to date and are not secure.

If you are using any security plugins, such as Wordfence, or Sucuri, check if the plugins provide the function to disable directory browsing.

I suggest not to use plugins as there are not quality plugin available, and you can do it manually quickly and easily.

Disable directory browsing with cPanel

We will be using the File Manager in this method. Whether your host has provided you cPanel, Plesk or any other panel, you can follow this guide. Most of the hosting panel is similar.

Step 1: Log in to cPanel and locate the File Manage under the files section.

Step 2: Find the public_html

The next page will load the panel. Panel on the left panel display all the top directories of the websites. The right side panel displays all the directories and files within the directory.

The public_html directory is in home_directory. Make sure the home_directory is load from the left pane.

After selecting the home directory from the left panel, search the right-side panel for the public_html file.

Step 3: Edit the Indices of public_html

Click on the public_html file, and it will open a tray of options. From there, choose ‘Manage indices’. On the next page, you will find the option to allow or disallow the directory index to show.

Select the No Indexing option and hit the have button. And it’s done.

You will get the confirmation message like this:

Check the website wp-includes page, and you will see the forbidden page instead of a directory.

Disable directory browsing with a .htacces file editor

The third method is to use the .htaccess file to turn off the indices.

.htaccess file consists of the command for the servers. We will add one more command to the file.

If it’s your first time, and you are not much aware of .thaccess files, take your website’s breakup.

It’s up to you how you want to edit the .htaccess file of your WordPress site. You can do it from a WordPress plugin, or via cPanel File Manager.

Here the plugin to edit the .htaccess file:

• WP htaccess Control
• Htaccess File Editor
• .htaccess Site Access Control
• WP htaccess Optimize

In this post, I will edit the .htaccess file from cPanel.

Step 1: Open the File Manager from the cPanel.

As mentioned above, login into your cPanel. Find the file manage under the Files section.

The .htaccess file will be in the public directory. 

Step 2: Editing the .htaccess file.

Click on the .htaccess file, and select the edit option from the tray.

The next page will open the editing option for the htaccess file.

Step 3: Add the line of code.

Add the following line of code into the .htaccess file.

Options -Indexes

Save the changes. The directory listings are disabled now.

Final Words

In most cases, any of the three mentioned methods will work fine to disable directory browsing in WordPress.

• Plugin Method: Not recommended to download a plugin for this. If the already installed security plugin has this option, then go for it.
• No Indexing: Secure and easy to follow method to forbidden the directory listing.
• Adding code to .htaccess file: Another secure and straightforward method, but don’t mess with .htaccess file if you are not aware of it.

If nothing works, you can contact your hosting provider to solve the issues. You can also leave your doubts and questions in the comment box.