Preventing Directory Browsing with .htaccess

In the past few weeks I have written a few posts about plugins I have installed to assist with administering Technically Easy. I find it very important to perform regular maintenance on both the WordPress database and the files to ensure my blog is constantly running. One thing I haven’t touched on is the importance of securing my WordPress blog.

There are many web sites and blogs that provide great tips on how you can secure your WordPress blog, and I may repeat some of those in the future. In this post, however, I will discuss a problem that is evident in many WordPress blogs. This problem is the ability of a visitor to browse the contents of the WordPress directories on your host. If you are unsure if a visitor is able to browse a directory, then I’ll show you how you can test it, and also show you an easy fix to correct the problem.

Checking for Browsing Ability

Before I discuss a solution to directory browsing, let’s talk a bit about what this means from a security point of view. When you enable a visitor to browse a directory of your WordPress blog, you are providing them the ability to view all the files in the directory. They can even navigate between folders. This is all done within their web browser. Imagine if a hacker had full access to view any file on your web site or blog. Even scrapers (those looking for content to publish on their site) can easily download any file and then upload it to their site.

Some web hosts may have turned off this ability, while others may have left it on. To check if your host has left this ability on, do the following:

  1. Open your web browser.
  2. Lets pick a common WordPress directory. In your browser type the following:
    [your blog domain]/wp-content/plugins/
  3. If you see a list of directories and files displayed, then directory browsing is enabled. If you see a blank screen, or a message, such as Forbidden, then directory browsing is disabled.

There are several ways that you can disable this ability, and I’ll show you one way in the next section.

Turning Off Directory Browsing with .htaccess

Once method of turning of directory browsing involves editing your .htaccess file, which should be located in the root of your web site or blog. Use the following steps to disable directory browsing on your web site or blog:

  1. Simply open the .htaccess file in a text editor.
  2. Next add the following lines to the file:
    # disable directory browsing
    Options All -Indexes
  3. Save the file and attempt to access the same directory you did in the first part of this post. You should not receive a Forbidden message instead of the directory contents.

You have now implemented a security measure that will help protect your web site or blog. This is just one step out of many you can do to protect your site from intruders.

Backblaze: Why risk losing your files. Backup unlimited data for $5/month
Meet On Hub, a new router from Google and TP-Link that's built for all the ways you Wi-Fi

13 Responses to “Preventing Directory Browsing with .htaccess”

  1. Joe says:

    Just what I was looking for! Thank you! 😀

  2. cory says:

    thanks. this works perfectly.

  3. Scott says:

    Is there a downside to this that I should know about? Will media linked in posts still be downloadable? Will google index the site properly? I only ask because it seems like such a large oversight from the otherwise detail oriented developers behind wordpress.

    • Paul Salmon says:

      This only affects those that try to access the directory directly through the browser. This prevents the directory listing from being access directly. All content in the directory can still be linked to and downloaded from web pages, and also indexed by search engines.

  4. vanni linux says:

    Thanks for sharing this .. i book marked it .. keep it up.
    TR

  5. I was looking for a way to avoid directory browsing.. Thankz mate. Worked for me.

  6. ill66 says:

    yes ok, there you are right^^

  7. ill66 says:

    recently i worked around that problem by just uploading an empty html-file named index.htm in every subfolder (since i couldn’t remember the htacess-commands^^).
    are there any drawbacks in comparison with your mentioned way?

    • Paul says:

      That way will work too. The only drawback is if you have hundreds of subfolders, then it may be easier to just edit the .htaccess file that remembering to include index.htm in all folders.

  8. Bestlistingz.com says:

    Good idea as this is often overlooked.

  9. Arti says:

    Thanks you but i am living problem. Example example.com/directory/directory doesnt listing. Open index page and i dont read my image files. Please help me.

Leave a Reply

Your email address will not be published. Required fields are marked *