Are you concerned about the security of your WordPress website? One often overlooked vulnerability is directory browsing, which exposes critical information to potential hackers. This information can be leveraged to exploit vulnerabilities in your site’s plugins, themes, or hosting server. In this article, we will guide you on how to disable directory browsing in WordPress to enhance the overall security of your website.
Every time a visitor accesses your website, your web server processes the request and typically delivers an index file, such as index.html. However, when no index file is found, the server might display all the files and folders in the requested directory—a practice known as directory browsing. Unfortunately, this feature is often enabled by default, putting your site at risk.
If you’ve ever encountered a webpage showing a list of files and folders instead of its usual content, you’ve witnessed directory browsing in action. The concern here is that hackers can exploit this feature to examine the files constituting your website, including themes and plugins. If any of these components have known vulnerabilities, attackers can use this information to compromise your WordPress blog, steal data, or carry out other malicious actions.
Furthermore, directory browsing can expose confidential information within your files and folders, allowing attackers to copy your website’s content, including materials typically offered for a fee, such as ebook downloads or online courses. To mitigate these risks, it’s considered a best practice to disable directory browsing in WordPress.
Checking Directory Browsing Status:
Before proceeding with the disabling process, it’s wise to check whether directory browsing is currently enabled on your WordPress website. Simply visit the /wp-includes/ folder link, replacing “www.example.com” with your website’s URL. If you receive a 403 Forbidden or a similar message, directory browsing is already disabled. If not, follow the steps below to secure your site.
Disabling Directory Browsing:
To disable directory browsing, you’ll need to add specific code to your site’s .htaccess file. Access this file using an FTP client or the file manager app within your WordPress hosting control panel.
- Connect to your site using an FTP client or follow our guide on connecting to your site using FTP for first-time users.
- Open your website’s ‘public’ folder and locate the .htaccess file.
- Download the .htaccess file to your desktop and open it in a text editor like Notepad.
- At the very bottom of the file, add the following code:
1 2 3 4 5 |
Options -Indexes |
- Save the .htaccess file and upload it back to your server using your FTP client.
That’s it! Upon revisiting the http://example.com/wp-includes/ URL, you should now encounter a 403 Forbidden or a similar message, indicating that directory browsing is successfully disabled on your WordPress website.