Preventing Directory Browsing with .htaccess

In the past few weeks I have written a few posts about plugins I have installed to assist with administering Technically Easy. I find it very important to perform regular maintenance on both the WordPress database and the files to ensure my blog is constantly running. One thing I haven’t touched on is the importance of securing my WordPress blog.

There are many web sites and blogs that provide great tips on how you can secure your WordPress blog, and I may repeat some of those in the future. In this post, however, I will discuss a problem that is evident in many WordPress blogs. This problem is the ability of a visitor to browse the contents of the WordPress directories on your host. If you are unsure if a visitor is able to browse a directory, then I’ll show you how you can test it, and also show you an easy fix to correct the problem.

Checking for Browsing Ability

Before I discuss a solution to directory browsing, let’s talk a bit about what this means from a security point of view. When you enable a visitor to browse a directory of your WordPress blog, you are providing them the ability to view all the files in the directory. They can even navigate between folders. This is all done within their web browser. Imagine if a hacker had full access to view any file on your web site or blog. Even scrapers (those looking for content to publish on their site) can easily download any file and then upload it to their site.

Some web hosts may have turned off this ability, while others may have left it on. To check if your host has left this ability on, do the following:

  1. Open your web browser.
  2. Lets pick a common WordPress directory. In your browser type the following:
    [your blog domain]/wp-content/plugins/
  3. If you see a list of directories and files displayed, then directory browsing is enabled. If you see a blank screen, or a message, such as Forbidden, then directory browsing is disabled.

There are several ways that you can disable this ability, and I’ll show you one way in the next section.

Turning Off Directory Browsing with .htaccess

Once method of turning of directory browsing involves editing your .htaccess file, which should be located in the root of your web site or blog. Use the following steps to disable directory browsing on your web site or blog:

  1. Simply open the .htaccess file in a text editor.
  2. Next add the following lines to the file:
    # disable directory browsing
    Options All -Indexes
  3. Save the file and attempt to access the same directory you did in the first part of this post. You should not receive a Forbidden message instead of the directory contents.

You have now implemented a security measure that will help protect your web site or blog. This is just one step out of many you can do to protect your site from intruders.

PG

About Paul Salmon

Paul Salmon is the founder of Technically Easy. He is a an experienced PC user, and enjoys solving computer-related problems that he encounters on a regular basis.

Facebook | Twitter | Google+

Opt In Image
Don't Lose Your Memories
Backup an unlimited number of photos and files with BackBlaze!

Unlimited storage.
No storage, file size or bandwidth limitations.

Restore from anywhere.
Just need an Internet connection - PC, Mac, iOS, and Android.

External hard drive support.
Backup files that are stored on an external hard drive.

Data is secure.
Files are encrypted locally and sent over a secure SSL connection.

Automatic and continuous backup.
Never worry about forgetting to backup a file - ever.

 

Tips

12 Comments

  1. Joe
    Posted November 3, 2012 at 9:50 am | Permalink

    Just what I was looking for! Thank you! :D

  2. Posted July 31, 2012 at 7:10 pm | Permalink

    thanks. this works perfectly.

  3. Scott
    Posted October 20, 2011 at 5:45 pm | Permalink

    Is there a downside to this that I should know about? Will media linked in posts still be downloadable? Will google index the site properly? I only ask because it seems like such a large oversight from the otherwise detail oriented developers behind wordpress.

    • Posted October 21, 2011 at 8:01 am | Permalink

      This only affects those that try to access the directory directly through the browser. This prevents the directory listing from being access directly. All content in the directory can still be linked to and downloaded from web pages, and also indexed by search engines.

  4. vanni linux
    Posted July 10, 2010 at 5:42 am | Permalink

    Thanks for sharing this .. i book marked it .. keep it up.
    TR

  5. Posted May 1, 2010 at 8:32 am | Permalink

    I was looking for a way to avoid directory browsing.. Thankz mate. Worked for me.

  6. Posted October 25, 2009 at 5:17 am | Permalink

    will this work?

  7. ill66
    Posted October 19, 2009 at 8:11 am | Permalink

    yes ok, there you are right^^

  8. ill66
    Posted October 18, 2009 at 6:11 pm | Permalink

    recently i worked around that problem by just uploading an empty html-file named index.htm in every subfolder (since i couldn’t remember the htacess-commands^^).
    are there any drawbacks in comparison with your mentioned way?

    • Posted October 19, 2009 at 7:59 am | Permalink

      That way will work too. The only drawback is if you have hundreds of subfolders, then it may be easier to just edit the .htaccess file that remembering to include index.htm in all folders.

  9. Bestlistingz.com
    Posted May 5, 2009 at 2:13 am | Permalink

    Good idea as this is often overlooked.

  10. Arti
    Posted April 11, 2009 at 1:03 pm | Permalink

    Thanks you but i am living problem. Example example.com/directory/directory doesnt listing. Open index page and i dont read my image files. Please help me.

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*

You may use these HTML tags and attributes <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Subscribe without commenting