WordPress is without doubt one of the most recommended content management systems. 75 million websites, including business, blogging, professional, and entertainment, are currently built on WordPress. yet, it is also among the most vulnerable scripts to online attacks especially if you don't disable directory browsing. While most online attacks result from patched versions and vulnerable plugins, another major source of WordPress data theft is access to the disclosure of essential WordPress elements.
It often happens when your web server is unable to find an index file (i.e. a file like index.php or index.html). By default WordPress displays an index page revealing the contents of the directory.
Table of Contents
Browsing directories in WordPress
The WP-Hardening plugin allows you to easily fix directory browsing with one click. the plugin is a one stop solution to solve most of your common WordPress security issues.
How it works:
- Install the WP Hardening plugin and activate it within the dashboard. The icon will be displayed in the lower left corner of your admin panel.
- Go to the ‘Security Correctors‘ tab.
- Navigate to ‘Server Hardening' and simply toggle the button next to ‘Hide Directory Listing of WP includes‘.
- Hide WP-included with WP-Hardening plugin
- And it's done !
Making this information public could make your site vulnerable to hackers or intruders. It simply reveals to hackers the important information necessary to exploit a potential vulnerability of the WordPress theme, plugin or even the server.
Why disable directory browsing folders from the public?
Due to an increasing number of attacks on WordPress CMS, it is essential to turn off directory browsing. Hackers can exploit directory browsing to reveal files with known vulnerabilities and, in turn, exploit it to gain unauthorized access. Additionally, directory browsing can be used by outsiders to mimic the contents of your file, discover your directory structure, and other information. This is why it is imperative to restrict indexing and directory browsing.
This can be done by modifying your .htaccess file. The .htaccess file is a server configuration file that essentially allows the user to define the rules that their server must follow for their website. The .htaccess file is located in the root folder of your WordPress site. To edit it, you need to connect to your website using an FTP client. It's important to note that before you start editing your .htaccess file, you should to download a copy of it to your computer as a backup to use in case something goes wrong.
How to hide WP folders from public access?
Add the following line of code to the .htaccess file at the root of your website:
Options All -Indexes
Disabling directory browsing is one of the most undermining security countermeasures among most webmasters. Most of them simply forget about this void that makes a hacker's job so much easier.
Get Great Discount Deals For Creators' Stuff
How To Disable Directory Browsing in WordPress
As a working example, the following is an image from one of my clients' websites before the fix was applied. As you can see, anyone can browse media uploads anytime they want, even those that have been uploaded, but not displayed on the actual site.
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Options All -Indexes
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ – (L)
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php (L)
# END WordPress
Options All -Indexes
For this WordPress fix you should access the .htaccess file of your site. Alternatively, you can do this in two easy ways to disable directory browsing:
- Using any FTP client like the popular FileZilla.
- Via the cPanel File Manager of your website host.
Hope this WordPress tutorial helped you secure your site by the easy twist of disable directory browsing.