Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Disable Directory Browsing in WordPress

Editorial Note: We earn a commission from partner links on WPBeginner. Commissions do not affect our editors' opinions or evaluations. Learn more about Editorial Process.

Do you want to disable directory browsing in WordPress?

Directory browsing can put your site at risk by showing important information to hackers which can be used to exploit vulnerabilities in your site’s plugins, themes, or even your hosting server.

In this article, we will show you how you can disable directory browsing in WordPress.

How to disable directory browsing in WordPress

What Does Disabling Directory Browsing in WordPress Do?

Every time someone visits your website, your web server will process that request.

Usually, the server delivers an index file to the visitor’s browser, such as index.html. However, if the server can’t find an index file, then it may show all the files and folders in the requested directory instead.

This is directory browsing, and it’s often enabled by default.

If you’ve ever visited a site and seen a list of files and folders instead of a webpage, then you’ve seen directory browsing in action.

A WordPress site with directory browsing enabled

The problem is that hackers can use directory browsing to see the files that make up your website, including all the themes and plugins that you’re using.

If any of these themes or plugins have known vulnerabilities, then hackers can use this knowledge to take control of your WordPress blog or website, steal your data, or perform other actions.

Attackers may also use directory browsing to look at the confidential information inside your files and folders. They might even copy your website’s contents, including content that you would usually charge for such as ebook downloads or online courses.

This is why it’s considered a best practice to disable directory browsing in WordPress.

How to Check is Directory Browsing is Enabled in WordPress

The easiest way to check whether directory browsing is currently enabled for your WordPress website is by simply visiting the /wp-includes/ folder link like this: https://example.com/wp-includes/.

You’ll want to replace www.example.com with your website’s URL.

If you get a 403 Forbidden or similar message, then directory browsing is already disabled on your WordPress website.

A website with directory browsing disabled

If you see a list of files and folders instead, then this means that directory browsing is enabled for your website.

A WordPress site with directory browsing enabled

Since this makes your website more vulnerable to attack, you’ll typically want to block directory browsing in WordPress.

How to Disable Directory Browsing in WordPress

To disable directory listing, you’ll need to add some code to your site’s .htaccess file.

To access the file, you’ll need an FTP client, or you can use the file manager app inside your WordPress hosting control panel.

If this is your first time using FTP, then you can see our complete guide on how to connect to your site using FTP.

After connecting to your site, simply open your website’s ‘public’ folder and find the .htaccess file. You can edit the .htaccess file by downloading it to your desktop and then opening it in a text editor like Notepad.

At the very bottom of the file, simply add the following code:

Options -Indexes

It will look something like this:

The WordPress .htaccess file

Once you’re done, save your .htaccess file and upload it back to your server using an FTP client.

That’s it. Now if you visit the same http://example.com/wp-includes/ URL, you’ll get a 403 Forbidden or similar message.

How to disable directory browsing in WordPress

We hope this article helped you learn how to disable directory browsing in WordPress. You may also want to see our ultimate WordPress security guide, or see our expert pick of the best WordPress membership plugin to protect your files.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

Editorial Staff

Editorial Staff at WPBeginner is a team of WordPress experts led by Syed Balkhi with over 16 years of experience in WordPress, Web Hosting, eCommerce, SEO, and Marketing. Started in 2009, WPBeginner is now the largest free WordPress resource site in the industry and is often referred to as the Wikipedia for WordPress.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Reader Interactions

94 CommentsLeave a Reply

  1. Syed Balkhi says

    Hey WPBeginner readers,
    Did you know you can win exciting prizes by commenting on WPBeginner?
    Every month, our top blog commenters will win HUGE rewards, including premium WordPress plugin licenses and cash prizes.
    You can get more details about the contest from here.
    Start sharing your thoughts below to stand a chance to win!

  2. Jiří Vaněk says

    Thanks for the advice. On directory browsing, or that I have it enabled, the AIO SEO plugin keeps warning me. I have currently solved the problem by making the folders have an index file that is empty. Is it possible to take this as one of the possible solutions?

    • WPBeginner Support says

      You can try that method but we would still recommend the htaccess method from our guide.

      Admin

      • Jiří Vaněk says

        Thanks for the advice, I finally used the Options -Indexes method now and AIO SEO already reports the problem as solved. Thanks again.

  3. Ka Khaliq says

    After editing the htaccess file as per the provided guidelines, I do see 403 Forbidden message for /wp-includes/. But I’m unable to see edit any post. Upon editing a post, I see the same 403 Forbidden message. How to solve this?

Leave a Reply to Dina D Cancel reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

WPBeginner Assistant
How can I help you?

By chatting, you consent to this chat being stored according to our privacy policy and your email will be added to receive weekly WordPress tutorials from WPBeginner.