This post will help you avoid a potentially BIG problem if you have a WordPress blog on a host running the Apache Web Server. The problem is that your directories might be visible. I’ll explain why this is a problem and how to disable directory listing in WordPress. Hopefully you can sleep easier at night once you’ve checked this out!
What is a Directory Listing?
As a default on many hosts, any directory (or folder) that does not contain an index file (index.html, index.php) will mean the contents of your directories are visible for anyone to see.
For example, let’s take this fictional WordPress URL as an example:
If you visited this URL and your directory listings are visible, you’ll see something like this:
You wouldn’t need a password to access any of your WordPress directories or any of the files within them.
Why is it Bad to Leave WordPress Directory Listings Visible?
If your WordPress blog does not have its directories locked down, it’s bad for a couple of reasons:
- It’s possible that if someone can see the contents of your server directories you may have an exploitable vulnerability, especially if you have scripts within them.
- The ability to see the contents of your WordPress directories means anyone can access files you might not want them to, such as the tools you give to people when they sign up for newsletters.
Both of these reasons are a problem, but they can be rectified fairly simply.
How to Disable Directory Listing in WordPress
I am going to outline two methods which you can use to hide your directory listings.
1. WordPress Plugins
Firstly, you can use a plugin. There are a number you might use to tighten up your WordPress security across the board and hide your directory listings in the process.
You can find a bunch here and assess them for suitability: WordPress Security Plugins
2. Server Control Panel
You can also use your server control panel (such as cPanel, DirectAdmin or Plesk). I’ll show you the following 3 ways to disable WordPress directory listings:
- Disable WordPress Directory listings in the cPanel Admin Dashboard.
- Add a No Indexes rule to your .htaccess file using your cPanel File Manager tool.
- Add a No Indexes rule to your .htaccess file using an FTP client.
Since I use cPanel on my server, Ill explain how this works. However, other types of control panel will work in a similar way.
2.1 Disable Directory Listings in cPanel Admin Dashboard
In cPanel, you can disable your WordPress directory listing by using the File Manager tool.
Look in the FILES section of your main cPanel dashboard and click the File Manager icon.
A new window will open showing two panels. On the left-hand side you’ll see a list of all the directories on your server. On the right all you’ll find all the files and directories within your server home directory.
Make sure you are definitely viewing your home directory by clicking on it (as shown above). This is the very top level directory on your server that contains all your files.
Search for a directory called public_html in the right-hand panel, and right click on it to see options like these.
Click on Managing Indices and a new page will open. For me this new page is the Index Manager, but for you it might be called something slightly different. Regardless, you’ll see a bunch of configuration options similar to these:
Select the No Indexing option and save and this will disable directory listing in for you WordPress blog.
To see if this has worked, visit yourdomain.com/wp-content/uploads/ in a browser (substitute yourdomain.com for your actual domain).
Refresh the page and you should see your WordPress directory listings are no longer visible!
2.2 Updating Your .htaccess File Using Your cPanel File Manager Tool
Secondly, you can make a small change to one of your Apache files called .htaccess. This is a file residing in the home directory of WordPress blog.
.htaccess is a “hidden” file. This is a special type of file that ordinarily is not visible when looking in a directory. If you’re using cPanel or an FTP client, you’ll need to make sure you configure both to display hidden files.
Assuming you use Control Panel software on your hosting server, you can out how to make hidden files visible here: How to Show Hidden Files in cPanel File Manager.
In your control panel, use the File Manager tool to view and edit files directly on your server. Look in the FILES section of your main cPanel dashboard and click the File Manager icon.
You need to ensure your hidden files are visible and that you have the .htaccess file in your home directory.
When the file manager opens, look for the .htaccess file and make a backup copy by selecting it, right clicking and choose the option to make a copy.
You’ll have to add a unique name for your .htaccess backup, something like BKUP.htaccess.BKUP will do. If something goes wrong with the .htaccess file you modify, you’ll be able to delete it and simply restore it by renaming BKUP.htaccess.BKUP to .htaccess.
When you’ve made a backup, select the original .htaccess file again, right click on it and choose the edit option.
You’re going to add a the following line :
Be sure to enter a new line after inputting this so the .htaccess file ends with a blank line.
Save the file and visit yourdomain.com/wp-content/uploads/ in a browser (substitute yourdomain.com for your actual domain).
Refresh the page and you should no longer see your WordPress directory listing!
2.3 Updating Your .htaccess File Using an FTP Client
Use an FTP client such as Filezilla to access the files on your server and when you’re logged in and connected to your server, you should be located in your home directory automatically.
Check to make sure your FTP client is showing your hidden files. You do this in Filezilla by heading to the menu bar, clicking the Server option and selecting “Force showing hidden files“. Check your FTP client help tool for information on how you can do this.
When you’ve configured your FTP client to show hidden files, look for the file called .htaccess and download it to your computer.
Make another copy of this file on your desktop but rename it to BKUP.htaccess.BKUP. You can use this to restore .htaccess to your server if something goes wrong.
Open the .htaccess file on your computer using a plain text editor (such as Notepad in Windows or TextEdit in Mac) and add the following line:
Leave a blank line at the bottom of the file and ensure you save it as a plain text file. This is VERY important. Upload .htaccess from your desktop to your server home directory via your FTP client, choosing to overwrite existing files with the same name.
Go to yourdomain.com/wp-content/uploads/ in a browser (substitute yourdomain.com for your actual domain) and refresh to see you’ve disabled your WordPress directory listings.
If you can see all hidden files in your FTP client but .htaccess is not present, don’t panic… you can create one. Use a plain text editor on your computer and add the following line:
Leave a blank line at the bottom of the file and save it as a plain text file. Upload this to your home directory via your FTP client and you’ll be all set!
A Word of Warning
.htaccess is a very important file and if you do something to break it, your WordPress blog will no longer work. Make sure you always make a backup copy of it so you can restore it to your server if something goes wrong!
Thanks for reading.
Let me know how this works out for you. If you struggle to disable directory listing in WordPress, drop me a comment below and I’ll help out.