Have you found yourself in a position where you need to disable directory browsing in WordPress? We recently did, and were very surprised to find directory browsing was enabled in the first place! And, we had actually covered this in our WordPress Security Guide (embarrassing)! Leaving directory browsing enabled can expose your WordPress site to hackers, potentially arming them with what they need to hack your site. As it turns out, performing a WordPress site simple migration left us in this position.
What is WordPress directory browsing?
Directory browsing isn’t unique to WordPress, it applies to any type of website. What the name implies alludes to what ‘WordPress directory browsing’ is: it means that directories on a WordPress site can be accessed and browsed. But wait, there’s more, and this is the bad part. What it means more specifically:
When enabled, WordPress directory browsing allows the general public – anyone – to browse directories on a WordPress site.
If you own or manage a WordPress site with directory browsing enabled, you should disable it immediately.
How to check if directory browsing is enabled
The easiest way to know if directory browsing is enabled for a WordPress site is to open a web browser and enter your site’s URL followed by ‘/wp-includes/‘. If you see ‘Index of /wp-includes’ followed by a bulleted list of files and directories, directory browsing is enabled. If it not enabled, you will be served your WordPress site’s 404 page, or a 403 Forbidden page.
Below we will explain the risk for those who are newer to WordPress, or simply don’t know why this would be a problem. But, first things first: here’s how to disable directory browsing.
How to disable WordPress directory browsing
We host this website at our recommended managed WordPress hosting company Rocket.net. Rocket.net has a file manager built in to their WordPress dashboard, and we will use it to access the file we need to edit. If your web host doesn’t have a file manager, or if you prefer to use FTP, the process is the same.
With just a few simple steps directory browsing in WordPress can be disabled.
Total Time: 5 minutes
Locate the .htaccess file for your WordPress website.
Either using an FTP program or your web hosting file manager, locate the .htaccess file. It will be located in the root of your public website folder.
Make a backup copy of the .htaccess
If something goes wrong when editing the .htaccess file your site could go down. Making a backup will allow you to restore the working .htaccess file in the event of a mishap. Since we are only making a simple edit, we opted to download a copy as a backup before editing the file.
Edit the .htaccess file
Open your .htaccess file in a code editor. Scroll to the bottom of the file, past the line ‘#END WordPress’ and add the following on a new line:
Options -Indexes
Save the .htaccess file
If you are editing the file in-place, save and close it. If you are editing a copy you downloaded from the server, upload the new version in place of the old one.
That’s it! You can check to ensure directory browsing is enabled by once again opening a web browser and entering your site’s URL followed by ‘/wp-includes/’. You show now not be able to see the listing of files, but instead a 404 or 403 web page. In our case, we get our WordPress site’s 404 page now.
The risk of allowing directory browsing of your site
When malicious attackers are trying to identify a way to compromise a website, the more information they have, the better. WordPress sites are often targeted as it is so widely used, and because like many CMS platforms, WordPress has a huge vulnerability: the inclusion of third-party plugins and themes.
Every WordPress site owner or administrator has received notices from their hosting provider or a theme or plugin developer urging them to upgrade or disable a plugin or theme due to a known security vulnerability. For this reason, hackers often seek out sites that haven’t updated a compromised plugin or theme as its a known entry point.
This can be time consuming and often impossible if a WordPress site is well secured. If directory browsing is enabled, not only is the site insecure, it is providing the very information hackers need when looking for targets to attack.
Simply put, directory browsing puts your website at risk as hackers have access to all kinds of information that could help them exploit weakly secured WordPress website hosting, themes and plugins.
How do hackers gain access to WordPress sites?
According to a 2021 paper published by Sucuri, themes and plugins represent 99.42% of all WordPress security vulnerabilities. The overwhelming majority of which are plugin vulnerabilities at 92.81%. We reviewed Sucuri and it is a great WordPress security plugin if you are in need of one.
Since knowing which plugins a WordPress site has and what version those plugins are make a hacker’s life easier, be sure your site has directory browsing disabled.
