If you’ve ever wondered how hackers manage to exploit WordPress sites, you’re not alone. Directory browsing is one of the vulnerabilities that raise concern. It poses a potential security risk where users, including hackers, can access and view the contents of directories on a website’s server.
This security flaw presents a substantial risk, potentially exposing sensitive information and jeopardizing the overall safety and integrity of the website.
The good news is that you can protect your site from directory browsing. You can simply disable that directory browsing. In this blog, we’ll walk you through step-by-step instructions on how to disable directory browsing in WordPress.
Before we proceed, let’s take quickly grasp the significance of directory browsing concerning WordPress website security.
What is directory browsing and why you should disable this in WordPress?
Imagine you have a WordPress website with various directories storing important files, such as media files, plugins, and theme components.
In a properly configured setup, these directories remain hidden from public access, ensuring that sensitive information is kept secure. However, if the server is misconfigured or lacks the necessary security measures, directory browsing can become unintentionally enabled.
In such a scenario, anyone, including potential hackers, can easily access your website’s directories, gaining insights into your file structure and potentially exploiting any security vulnerabilities they discover.
To avoid this risk, it is crucial to disable directory browsing in WordPress and maintain robust security protocols to boost site security.
How to disable directory browsing in WordPress?
There are three methods to disable directory browsing in WordPress. Let’s examine each of them step by step.
1. Disable directory browsing in WordPress using a plugin
There were several security plugins available such as Sucuri Security, iThemes Security, and Wordfence Security to disable directory browsing in WordPress. However, the specific steps might vary slightly depending on the plugin you choose, as plugin interfaces can differ.
One popular plugin for disabling directory browsing is “iThemes Security” (formerly known as Better WP Security). Here are the general steps to disable directory browsing using the iThemes Security plugin:
- Install and activate the iThemes Security plugin from the WordPress Dashboard by navigating to “Plugins” > “Add New” and searching for “iThemes Security.”
- Once activated, go to “Security” in the WordPress Dashboard sidebar and then click on “Settings.”
- Within the “Settings” tab, look for “System Tweaks.” In this section, you’ll find the option to disable directory browsing.
- Check the box next to “Disable Directory Browsing” to enable the feature.
- Click the “Save Settings” button to apply the changes.
The plugin will now disable directory browsing on your WordPress site, helping to enhance WordPress site security.
2. Disable directory browsing in WordPress using a .htacces file editor
- Open the File Manager in cPanel.
- Log in to your cPanel account, access the “Files” section, and access the File Manager.
- Now select “edit” option to modify the .htaccess file.
- The .htaccess file is typically located in the public directory of your website. Find it and right-click to select the “Edit” option.
- Insert the line of code – “Options -Indexes” into the .htaccess file.
- Save the changes.
NOTE: Please exercise caution when working with .htaccess files, as incorrect modifications can cause issues with your website. If you’re unsure, consider using a WordPress plugin for this purpose or seek assistance from someone experienced in handling .htaccess files.
3. Disable directory browsing in WordPress with cPanel
In this method, we’ll use the File Manager, which is available in various hosting panels like cPanel, Plesk, or other similar interfaces. Regardless of the specific hosting panel you have, the process is generally similar.
- Log in to the hosting panel (like cPanel) and find the File Manager in the files section.
- Find the “public_html” directory.
Once you access the File Manager, the left panel will display the top directories of your website, while the right panel shows the directories and files within the selected directory. Look for the “public_html” directory, which is usually located in the “home_directory.” Ensure that the “home_directory” is loaded in the left pane.
- Click on the “public_html” directory, and you’ll see multiple options. Choose “Manage indices” from this menu. On the next page, you’ll find the option to allow or disallow the directory index display.
- Select the “No Indexing” option and click the “Save” button. This action will disable directory browsing for your WordPress site.
- You will receive a confirmation message indicating that the indices are turned off, and directory browsing is now disabled.
- When you check your website’s “wp-includes” page or any other directory, you should see a forbidden page instead of the directory content. It confirms that directory browsing has been successfully disabled.