Do you want to disable directory browsing in WordPress?
Directory browsing can put your site at risk by showing important information to hackers, which can be used to exploit vulnerabilities in your site’s plugins, themes, or even your hosting server.
In this article, we will show you how you can disable directory browsing in WordPress.
What Does Disabling Directory Browsing in WordPress Do?
Every time someone visits your website, your web server will process that request.
Usually, the server delivers an index file to the visitor’s browser, such as index.html. However, if the server can’t find an index file, it may instead show all the files and folders in the requested directory.
This is called directory browsing, and it’s often enabled by default on your hosting server.
If you’ve ever visited a site and seen a list of files and folders instead of a webpage, then you’ve seen directory browsing in action.
The problem is that hackers can use directory browsing to see the files that make up your website, including all the themes and plugins you use.
If any of these themes or plugins have known vulnerabilities, then hackers can use this knowledge to take control of your WordPress blog or website, steal your data, or perform other actions.
Attackers may also use directory browsing to look at the confidential information inside your files and folders. They might even copy your website’s contents, including content that you would usually charge for, such as ebook downloads or online courses.
This is why it’s considered a best practice to disable directory browsing in WordPress.
How to Check if Directory Browsing is Enabled in WordPress?
The easiest way to check whether directory browsing is currently enabled for your WordPress website is by simply visiting the /wp-includes/ folder link like this: https://example.com/wp-includes/.
You’ll want to replace www.example.com with your website’s URL.
If you get a 403 Forbidden or similar message, then directory browsing is already disabled on your WordPress website.
If you see a list of files and folders instead, then this means that directory browsing is enabled for your website.
Since this makes your website more vulnerable to attack, you’ll typically want to block directory browsing in WordPress.
How to Disable Directory Browsing in WordPress
To disable directory listing, you’ll need to add some code to your site’s .htaccess file.
To access the file, you’ll need an FTP client, or you can use the file manager app inside your WordPress hosting control panel.
If this is your first time using FTP, then you can see our complete guide on how to connect to your site using FTP.
After connecting to your site, simply open your website’s ‘public’ folder and find the .htaccess file. You can edit the .htaccess file by downloading it to your desktop and then opening it in a text editor like Notepad.
At the very bottom of the file, simply add the following code:
Options -Indexes
It will look something like this:
Once you’re done, save your .htaccess file and upload it back to your server using an FTP client.
That’s it. Now if you visit the same http://example.com/wp-includes/ URL, you’ll get a 403 Forbidden or similar message.
Expert Tip: If you suspect your WordPress website may have been hacked, then see our guide on fixing a hacked WordPress website. Alternatively, you can take a look at our professional hacked WordPress site repair service and hire professional WordPress security experts to clean your website.
We hope this article helped you learn how to disable directory browsing in WordPress. You may also want to see our ultimate WordPress security guide or see our expert pick of the best WordPress security plugins.
If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.
Dennis Muthomi
I noticed that I have directory browsing disabled on my WordPress site, because I got a 403 error when trying to access wp-includes, yet I don’t remember ever having edited my .htaccess file to do so.
Does WordPress automatically disable directory browsing during initial installation?
WPBeginner Support
Unless there was a recent change it does not by default, it may be your hosting provider’s default settings for htaccess.
Admin
Dennis Muthomi
That’s what I was suspecting also, thanks for clarifying that WordPress doesn’t disable directory browsing by default.
And the respond too
Dayo Olobayo
I didn’t even know that this vulnerability existed. Just checked mine and got the 403 error. which means directory browsing is disabled. Thank you.
WPBeginner Support
You’re welcome
Admin
Jiří Vaněk
Thanks for the advice. On directory browsing, or that I have it enabled, the AIO SEO plugin keeps warning me. I have currently solved the problem by making the folders have an index file that is empty. Is it possible to take this as one of the possible solutions?
WPBeginner Support
You can try that method but we would still recommend the htaccess method from our guide.
Admin
Jiří Vaněk
Thanks for the advice, I finally used the Options -Indexes method now and AIO SEO already reports the problem as solved. Thanks again.
Ka Khaliq
After editing the htaccess file as per the provided guidelines, I do see 403 Forbidden message for /wp-includes/. But I’m unable to see edit any post. Upon editing a post, I see the same 403 Forbidden message. How to solve this?
WPBeginner Support
There may be an issue with your file permissions, we would recommend taking a look at our guide below for fixing your permissions:
https://www.wpbeginner.com/wp-tutorials/how-to-fix-the-403-forbidden-error-in-wordpress/
Admin
Ka Khaliq
The issue resolved after clearing the web history/cache.
Thanks for your time.
Dina D
Thank you so much! Clear, concise, and easy to follow. Thank you so much!
WPBeginner Support
You’re welcome!
Admin
Rabee Khan
Thank You… precise and easy to understand!
WPBeginner Support
Glad our guide was helpful!
Admin
Kimmy
Thanks for the two-word solution! Lol. Worked perfectly!
WPBeginner Support
Glad we could help!
Admin
Seashell
I was shocked to see the folders accessible right in the browser.
Thanks for your solution!
WPBeginner Support
Glad we could help!
Admin