Beginner's Guide for WordPress - Start your WordPress Blog in minutes.
Choosing the Best
WordPress Hosting
How to Easily
Install WordPress
Recommended
WordPress Plugins
View all Guides

How to Disable Directory Browsing in WordPress

Last updated on by
Follow WPBeginner on YouTube
How to Disable Directory Browsing in WordPress

By default when your web server does not find an index file (i.e. a file like index.php or index.html), it automatically displays an index page showing the contents of the directory. This could make your site vulnerable to hack attacks by revealing important information needed to exploit a vulnerability in a WordPress plugin, theme, or your server in general. In this article, we will show you how to disable directory browsing in WordPress.

An example of directory index browsing in WordPress

Why You Need to Disable Directory Browsing in WordPress

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access. For the comprehensive security of our sites, we use Sucuri for WordPress security. They have a simple dashboard which allows us to do this and perform many other WordPress security strengthening steps with in few clicks.

Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.

Video Tutorial

If you don’t like the video or need more instructions, then continue reading.

To disable directory browsing in WordPress all you need to do is add a single line of code in your WordPress site’s .htaccess file located in the root directory of your website. To edit the .htaccess file you need to connect to your website using an FTP client.

Once connected to your website, you will find a .htaccess file in your site’s root directory. .htaccess is a hidden file, and if you can not find it on your server, you need to make sure that you have enabled your FTP client to show hidden files.

You can edit your .htaccess file by downloading it to your desktop and opening it in a text editor like Notepad. Now at the end of your WordPress generated code in the .htaccess file simply add this line at the bottom:

Options -Indexes

Now save your .htaccess file and upload it back to your server using your FTP client. That’s all you need to do. Directory browsing is now disabled on your WordPress site and people trying to locate a directory index on your website will be redirected to WordPress 404 page.

We hope this article helped you learn how to disable directory browsing in WordPress to make your website more secure. For questions and feedback you can leave a comment below or join us on Twitter.


Editorial Staff at WPBeginner is a team of WordPress lovers led by Syed Balkhi. Page maintained by Syed Balkhi.

WPBeginner's Video Icon
Our HD-Quality tutorial videos for WordPress Beginners will teach you how to use WordPress to create and manage your own website in about an hour. Get started now »
  • Rahul

    Thank you so much for the tutorial!

    I was very concerned when I discovered some of my theme directories could be browsed. All good now, thanks to your tutorial. I never knew .htaccess packed in so much punch.

  • KeelAha

    Hello Syed Balkhi

    I just noticed that one of your site list25.com having directory browsing enabled on following folder.

    Not sure if that is important to you.

    http://list25.com/wp-includes/
    Have a great weekend and keep doing your good work.

    regards
    KeelAha

    • http://www.wpbeginner.com/ WPBeginner Support

      Disabled it, thanks :)

  • Logan

    Why do I get a blank page, and not an error when I try to access the ../wordpress/wp-content/ or ../wordpress/wp-content/plugins/ ?

    • http://www.wpbeginner.com/ WPBeginner Support

      It may depend on your theme or your hosting environment. Try enabling directory browsing and then access these directories. If you still get a blank page then this means that those directories have a blank index.php file in them.

  • Charlie Sasser

    I tested this before I made any changes with a location that didn’t have an index.php or .htm file and yes you can see all of the files. I added the suggested line at the end of the .htaccess. The location now creates a 403 error from the host and not a 404 error from WordPress. I’m running WP 3.8. Is this the expected behavior?

  • Abhisek

    Better WordPress Security plugin takes care of that.

    • Govinda

      How do I do it in Better Wp security.
      I have installed the plugin, but not able to find this feature

  • Costin

    Hi,

    Could you please tell me if “Options All -Indexes” is the same or better?

    Thank you!

    • http://www.wpbeginner.com/ WPBeginner Support

      Its the same.

  • David Trees

    Thanks for this important information.

    Do you mean;

    Here

    Options -Indexes
    # END WordPress

    OR

    # END WordPress
    Options -Indexes

    Thanks for your reply.

    Cheers
    David

    • http://www.wpbeginner.com/ WPBeginner Support

      Both should work the same but we meant the later one after the END WordPress