Preventing Directory Browsing with .htaccess
In the past few weeks I have written a few posts about plugins I have installed to assist with administering Technically Easy. I find it very important to perform regular maintenance on both the WordPress database and the files to ensure my blog is constantly running. One thing I haven’t touched on is the importance of securing my WordPress blog.
There are many web sites and blogs that provide great tips on how you can secure your WordPress blog, and I may repeat some of those in the future. In this post, however, I will discuss a problem that is evident in many WordPress blogs. This problem is the ability of a visitor to browse the contents of the WordPress directories on your host. If you are unsure if a visitor is able to browse a directory, then I’ll show you how you can test it, and also show you an easy fix to correct the problem.
Checking for Browsing Ability
Before I discuss a solution to directory browsing, let’s talk a bit about what this means from a security point of view. When you enable a visitor to browse a directory of your WordPress blog, you are providing them the ability to view all the files in the directory. They can even navigate between folders. This is all done within their web browser. Imagine if a hacker had full access to view any file on your web site or blog. Even scrapers (those looking for content to publish on their site) can easily download any file and then upload it to their site.
Some web hosts may have turned off this ability, while others may have left it on. To check if your host has left this ability on, do the following:
- Open your web browser.
- Lets pick a common WordPress directory. In your browser type the following:
[your blog domain]/wp-content/plugins/
- If you see a list of directories and files displayed, then directory browsing is enabled. If you see a blank screen, or a message, such as Forbidden, then directory browsing is disabled.
There are several ways that you can disable this ability, and I’ll show you one way in the next section.
Turning Off Directory Browsing with .htaccess
Once method of turning of directory browsing involves editing your .htaccess file, which should be located in the root of your web site or blog. Use the following steps to disable directory browsing on your web site or blog:
- Simply open the .htaccess file in a text editor.
- Next add the following lines to the file:
# disable directory browsing
Options All -Indexes
- Save the file and attempt to access the same directory you did in the first part of this post. You should not receive a Forbidden message instead of the directory contents.
You have now implemented a security measure that will help protect your web site or blog. This is just one step out of many you can do to protect your site from intruders.