We have seen many websites that don’t disable directory browsing. Unfortunately, this tiny mistake can expose sensitive information to hackers and may harm a website.
Directory browsing allows others to see your site’s files and folders. Hackers can then use this information to find vulnerabilities in plugins, themes, or your hosting server.
Taking this simple step can significantly improve your site’s security. It’s a quick fix that every website owner should know.
In this guide, we will show you how to disable directory browsing in WordPress. This will help you protect your site and keep your data safe.
What Does Disabling Directory Browsing in WordPress Do?
When a visitor accesses a website, the web server processes their request. Typically, the server delivers an index file, such as index.html, to their browser.
If an index file is missing, the server may display a list of all files and folders in that directory. This behavior, known as directory browsing, is commonly enabled by default on hosting servers.
We have seen first-hand how directory browsing can expose sensitive information about a site’s structure. This information could be used to identify vulnerabilities in plugins, themes, or even hosting setups.
Visitors might come across directory browsing when they see a plain list of files and folders instead of a webpage. This unintended access can lead to security risks if not addressed.
Hackers often exploit directory browsing to view a site’s files, including themes and plugins. If any of these have known vulnerabilities, attackers can use that information to compromise the website.
In many cases, directory browsing can also expose private or paid content, such as ebook downloads or online courses. This can lead to unauthorized copying and revenue loss.
Disabling directory browsing is a simple yet effective way to prevent these risks. It’s one of the first steps we recommend for securing a WordPress site.
How to Check if Directory Browsing Is Enabled in WordPress
An easy way to check if directory browsing is enabled on your WordPress website is by visiting the /wp-includes/ folder directly.
For example, just enter a URL like this: https://example.com/wp-includes/ in your browser.
Make sure to replace example.com with your actual website’s domain name. This simple test works across most WordPress installations.
If you see a 403 Forbidden message or a similar error, then directory browsing is already disabled. This is a good sign as it means your website is more secure.
If a list of files and folders appears instead, then directory browsing is enabled.
This is something that leaves websites vulnerable to malicious attacks.
In our experience, enabling directory browsing exposes sensitive information and increases security risks. For this reason, it’s best to disable directory browsing in WordPress to keep your site safe.
How to Disable Directory Browsing in WordPress
To disable directory listing, you’ll need to add some code to your site’s .htaccess file.
To access the file, you’ll need an FTP client, or you can use the file manager app inside your WordPress hosting control panel.
If this is your first time using FTP, then you can see our complete guide on how to connect to your site using FTP.
After connecting to your site, simply open your website’s public folder and find the .htaccess file. You can then edit the .htaccess file by downloading it to your desktop and then opening it in a text editor like Notepad.
At the very bottom of the file, simply add the following code:
Options -Indexes
It will look something like this:
Once you’re done, save your .htaccess file and upload it back to your server using an FTP client.
That’s it. Now, if you visit the same http://example.com/wp-includes/ URL, you’ll get a 403 Forbidden or similar message.
Expert Tip: If you suspect your WordPress website may have been hacked, then see our guide on fixing a hacked WordPress website. Alternatively, you choose our professional hacked WordPress site repair service and hire professional WordPress security experts to clean your website straight away.
Additional Reading:
Want to keep your WordPress website secure and error-free? You may find the following articles useful:
- Beginner’s Guide to WordPress File and Directory Structure
- Most Common WordPress Errors and How to Fix Them
- How to Fix File and Folder Permissions Error in WordPress
- How to Password Protect Your WordPress Admin (wp-admin) Directory
We hope this article helped you learn how to disable directory browsing in WordPress. You may also want to see our ultimate WordPress security guide or see our expert pick of the best WordPress security plugins.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Dennis Muthomi
I noticed that I have directory browsing disabled on my WordPress site, because I got a 403 error when trying to access wp-includes, yet I don’t remember ever having edited my .htaccess file to do so.
Does WordPress automatically disable directory browsing during initial installation?
WPBeginner Support
Unless there was a recent change it does not by default, it may be your hosting provider’s default settings for htaccess.
Admin
Dennis Muthomi
That’s what I was suspecting also, thanks for clarifying that WordPress doesn’t disable directory browsing by default.
And the respond too
Dayo Olobayo
I didn’t even know that this vulnerability existed. Just checked mine and got the 403 error. which means directory browsing is disabled. Thank you.
WPBeginner Support
You’re welcome
Admin
Jiří Vaněk
Thanks for the advice. On directory browsing, or that I have it enabled, the AIO SEO plugin keeps warning me. I have currently solved the problem by making the folders have an index file that is empty. Is it possible to take this as one of the possible solutions?
WPBeginner Support
You can try that method but we would still recommend the htaccess method from our guide.
Admin
Jiří Vaněk
Thanks for the advice, I finally used the Options -Indexes method now and AIO SEO already reports the problem as solved. Thanks again.
Ka Khaliq
After editing the htaccess file as per the provided guidelines, I do see 403 Forbidden message for /wp-includes/. But I’m unable to see edit any post. Upon editing a post, I see the same 403 Forbidden message. How to solve this?
WPBeginner Support
There may be an issue with your file permissions, we would recommend taking a look at our guide below for fixing your permissions:
https://www.wpbeginner.com/wp-tutorials/how-to-fix-the-403-forbidden-error-in-wordpress/
Admin
Ka Khaliq
The issue resolved after clearing the web history/cache.
Thanks for your time.
Dina D
Thank you so much! Clear, concise, and easy to follow. Thank you so much!
WPBeginner Support
You’re welcome!
Admin
Rabee Khan
Thank You… precise and easy to understand!
WPBeginner Support
Glad our guide was helpful!
Admin
Kimmy
Thanks for the two-word solution! Lol. Worked perfectly!
WPBeginner Support
Glad we could help!
Admin
Seashell
I was shocked to see the folders accessible right in the browser.
Thanks for your solution!
WPBeginner Support
Glad we could help!
Admin