WordPress Tutorials

How to Disable Directory Browsing in WordPress

We WordPress lovers will shout it to the world — WordPress is amazing! We love it and as the world’s leading CMS platform, it’s clear that a lot of other people do too.

But, as many seasoned WP users and developers will tell you, a WordPress installation, though great, still needs some customizing to really tighten things up when it comes to security and other default features.

If you’re looking for ways to boost security, then one area that you should consider is by blocking people from being able to browse your directory files.

Why Disabling Directory Browsing is a Good Idea

Stop and consider this for a moment:

Let’s say that you have one of those metal cabinets made for holding your personal and private files you wish to keep in a safe place. Now, even though you likely don’t have those under lock and key, it’s pretty much a given that people should stay out of that cabinet unless they get the go-ahead from you.

Now imagine that you find someone going through those files without your permission. Wouldn’t you be annoyed and wary of that person’s intentions?

Most of us would. And my guess would be that you would probably start locking that cabinet up from that point on.

Well, this somewhat illustrates the importance of your directory files on your WordPress blog.

They’re pretty important and you would think that people would have the decency to keep their nose out of things that don’t belong to them, but history paints another sad reality.

Truth is that your site’s directory files are on display for anyone in the world to find if they know where to look, and they’re easy to find.

You can easily discover any site’s directory files that are powered by WordPress by simply entering /wp-includes/ at the end of your base URL.

If you do this to your own site and you find a picture similar to the one pictured below, then your directory files are accessible to anyone and everyone who wants to take a peek.

Directory Browsing

That’s a bit unnerving when you consider that these files contain sensitive information and can give hackers the upper hand when finding a way to sneak in and tamper or virtually set your site ablaze. Thus keeping a WordPress backup of your website is also necessary to prevent and reinstate the files if something goes wrong.

Want to prevent that from happening? Then there is a simple fix to put your files under lock and key.

Disabling Directory Browsing On Your WordPress Site

Disable-Directory-Browsing

The good news is that the fixing this takes a simple line of code. The bad news is that it’s going to take some slight tech skills to put that code in the right place.

OK, so let’s start this off. Here is the code you’re going to use:

Options All -Indexes

Now, you’re going to want to access the .htaccess file of your site. You can do this one of two ways:

  1. Using an FTP client like FileZilla
  2. Through your File Manager in your host’s cPanel

For this WordPress tutorial, I’m going to explain how to do this through your cPanel.

How To Disable Directory Browsing in WordPress using cPanel

For starters, you’ll want to login to your web hosting account and go to your cPanel.

cPanel Files Manager

 

Next, go down to the Files section and click on File Manager. Once you click there, you’ll have a box pop up asking when files you wish to look at (the files in a certain URL).

Select the Web Root directory option, select your domain and then make sure to check the box that says Show Hidden Files.

You will then be taken to another screen listing all the files within that certain domain. Scroll through the files that appear and look for the .htaccess file.

Before you open the file, download it and keep it somewhere safe. Next, click on the file and then go to the top of the screen that says View to that you can view the file.

There you should find a few lines of code including the following:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Now take this code:

Options All -Indexes

And put it at the end of the of that code so that it now looks like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Options All -Indexes

Save your changes and you have no locked down your directory from prying eyes. You can double check this by going to your site and adding /wp-includes/ to your URL again.

If you’ve done this correctly, you will get a 404 Error or Permission Error which means that your efforts have been successful!

To increase the security level, you can also customize the WordPress login URL  so that the hackers don’t have an easy way out to find the access to your WordPress Dashboard.

In Conclusion

Even though this isn’t what some would call a necessary step, it’s probably a step you should be taking anyway. Your files are important and should be kept private.

It will take a few minutes to do this, but it’s better to take the precaution and keep things safe.

Download
Download 3 WordPress themes & plugins​ with lifetime access for FREE!
x