Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Disable Directory Browsing in WordPress

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Do you want to disable directory browsing in WordPress?

Directory browsing can put your site at risk by showing important information to hackers, which can be used to exploit vulnerabilities in your site’s plugins, themes, or even your hosting server.

In this article, we will show you how you can disable directory browsing in WordPress.

How to disable directory browsing in WordPress

What Does Disabling Directory Browsing in WordPress Do?

Every time someone visits your website, your web server will process that request.

Usually, the server delivers an index file to the visitor’s browser, such as index.html. However, if the server can’t find an index file, it may instead show all the files and folders in the requested directory.

This is called directory browsing, and it’s often enabled by default on your hosting server.

If you’ve ever visited a site and seen a list of files and folders instead of a webpage, then you’ve seen directory browsing in action.

A WordPress site with directory browsing enabled

The problem is that hackers can use directory browsing to see the files that make up your website, including all the themes and plugins you use.

If any of these themes or plugins have known vulnerabilities, then hackers can use this knowledge to take control of your WordPress blog or website, steal your data, or perform other actions.

Attackers may also use directory browsing to look at the confidential information inside your files and folders. They might even copy your website’s contents, including content that you would usually charge for, such as ebook downloads or online courses.

This is why it’s considered a best practice to disable directory browsing in WordPress.

How to Check if Directory Browsing is Enabled in WordPress?

The easiest way to check whether directory browsing is currently enabled for your WordPress website is by simply visiting the /wp-includes/ folder link like this: https://example.com/wp-includes/.

You’ll want to replace www.example.com with your website’s URL.

If you get a 403 Forbidden or similar message, then directory browsing is already disabled on your WordPress website.

A website with directory browsing disabled

If you see a list of files and folders instead, then this means that directory browsing is enabled for your website.

A WordPress site with directory browsing enabled

Since this makes your website more vulnerable to attack, you’ll typically want to block directory browsing in WordPress.

How to Disable Directory Browsing in WordPress

To disable directory listing, you’ll need to add some code to your site’s .htaccess file.

To access the file, you’ll need an FTP client, or you can use the file manager app inside your WordPress hosting control panel.

If this is your first time using FTP, then you can see our complete guide on how to connect to your site using FTP.

After connecting to your site, simply open your website’s ‘public’ folder and find the .htaccess file. You can edit the .htaccess file by downloading it to your desktop and then opening it in a text editor like Notepad.

At the very bottom of the file, simply add the following code:

Options -Indexes

It will look something like this:

The WordPress .htaccess file

Once you’re done, save your .htaccess file and upload it back to your server using an FTP client.

That’s it. Now if you visit the same http://example.com/wp-includes/ URL, you’ll get a 403 Forbidden or similar message.

How to disable directory browsing in WordPress

Expert Tip: If you suspect your WordPress website may have been hacked, then see our guide on fixing a hacked WordPress website. Alternatively, you can take a look at our professional hacked WordPress site repair service and hire professional WordPress security experts to clean your website.

We hope this article helped you learn how to disable directory browsing in WordPress. You may also want to see our ultimate WordPress security guide or see our expert pick of the best WordPress security plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

99 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Dennis Muthomi says

    I noticed that I have directory browsing disabled on my WordPress site, because I got a 403 error when trying to access wp-includes, yet I don’t remember ever having edited my .htaccess file to do so.
    Does WordPress automatically disable directory browsing during initial installation?

    • WPBeginner Support says

      Unless there was a recent change it does not by default, it may be your hosting provider’s default settings for htaccess.

      Admin

      • Dennis Muthomi says

        That’s what I was suspecting also, thanks for clarifying that WordPress doesn’t disable directory browsing by default.
        And the respond too :)

  3. Dayo Olobayo says

    I didn’t even know that this vulnerability existed. Just checked mine and got the 403 error. which means directory browsing is disabled. Thank you.

  4. Jiří Vaněk says

    Thanks for the advice. On directory browsing, or that I have it enabled, the AIO SEO plugin keeps warning me. I have currently solved the problem by making the folders have an index file that is empty. Is it possible to take this as one of the possible solutions?

    • WPBeginner Support says

      You can try that method but we would still recommend the htaccess method from our guide.

      Admin

      • Jiří Vaněk says

        Thanks for the advice, I finally used the Options -Indexes method now and AIO SEO already reports the problem as solved. Thanks again.

  5. Ka Khaliq says

    After editing the htaccess file as per the provided guidelines, I do see 403 Forbidden message for /wp-includes/. But I’m unable to see edit any post. Upon editing a post, I see the same 403 Forbidden message. How to solve this?

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.