Disabling Directory Indexes to Protect Your WordPress Blog

Open a new window or tab and browse to your blog. For the sake of example, you’re now at example.com. Now, browse to your WordPress plugins directory: example.com/wp-content/plugins/.

What do you see?

If you don’t see a listing of all of the plugins you have on your server, you’re doing well!

If you do see a listing of all of your plugins, well, let’s just say there’s room for improvement.

Remember: if you can see the contents of the folder, chances are good that anyone can. For the most part, that isn’t such a big deal, but the Web can be a dangerous place. Malicious users and bots are ceaselessly roaming the Web looking for points of attack.

These evildoers are clever enough on their own; we don’t want to hand them a list of the software sitting on your server, especially since there is the chance that one or more plugins (or anything else which may be on your server, for that matter) may have security holes.

Even if all of your plugins are known to be secure now, what about in a few months? If an exploit is found in your favorite (for example) sitemap plugin, a crafty ne’er-do-well could simply target all of the sites known to have that particular plugin installed.

I don’t blame you for not wanting your site to end up on a list like that.

Thankfully, the fix is easy, and the earlier in your site’s life you can implement it, the better.

The first possible solution is that you could browse around to every directory on your site, ensuring that an index file is present. An index file is any file such as index.html, index.php, or even sometimes default.html.

If a directory contains no index file (i.e., its contents are shown when you browse to it with a Web browser), simply create a blank file named index.html to upload to that directory. ((Savvy users may want to create index.php as it will allow them the use of PHP, which they could use to log the details of the attempted directory access.))

Once your index file is in place, browsing to the directory should yield nothing more than a blank page (or the contents of your index file, if you’ve set up an error message or whatever).

Tracking down all of the “exposed” directories can be time-consuming, though. Thankfully, Apache (and perhaps other server technologies as well) provides a very easy means of disabling directory contents:

Options -Indexes

That one line of code, when placed within your site’s root .htaccess file, ((For our example, that would be example.com/.htaccess.)) prevents anyone from accessing directory listings.

If you are already using WordPress’ fancy permalinks (configurable via the Settings → Permalinks administration panel), your .htaccess should now look like this (minus whatever other additions you may have made to it):

Options -Indexes

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

Unlike using index files, disabling directory indexes at the server level causes an HTTP “403 Forbidden” error status to be returned, making it clear to the client attempting to access the directory that such access is not permitted on your site.

Depending on how your host has your server configured, you can even create custom error message explaining why a “Forbidden” error would be thrown. Contact your host for more information about custom error pages.

I encourage you to disable directory indexes on your site, though. It’s such a simple fix, and it makes life just that much harder for those who would attempt to attack your site. Stick it to ’em!

8 thoughts on “Disabling Directory Indexes to Protect Your WordPress Blog”

  1. Hi Rick,

    I added “Options -Indexes” to the .htaccess folder like you suggested. Just doing that disables the directory indexes at my site?? And this won’t affect my SEO, my posts, or anything? It JUST keeps the bad guys/hackers out, right? Uh oh, I just re-read…I don’t have “Apache” (whatever that is) – should I take the “Options -Indexes” back out? Help!

    Thanks, Kelly

  2. Kelly the Kitchen Kop: Did you already have the .htaccess file? If so, chances are good that you’re using Apache — or at least an Apache-compatible server.

    You can test this by uploading an empty directory to your site — for instance, example.com/empty/ — and then browse to that empty folder in your browser. If you get a “forbidden” message, the code worked.

    I’ll help you get this working if you share the link to the site you’re trying this on.

  3. Kelly the Kitchen Kop: I was referring to Options -Indexes — it looks like you’re already using it. If you aren’t using it, then your host may already be disabling directory indexes, so you’re all set for that.

    And no, this won’t affect search engines or anything else, for that matter. It will only prevent the complete contents of your directories from being displayed to any and everyone.

Leave a Reply to Kelly the Kitchen Kop Cancel Reply

Your email address will not be published. Required fields are marked *

Use your Gravatar-enabled email address while commenting to automatically enhance your comment with some of Gravatar's open profile data.

Comments must be made in accordance with the comment policy. This site uses Akismet to reduce spam; learn how your comment data is processed.

You may use Markdown to format your comments; additionally, these HTML tags and attributes may be used: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.

the Rick Beckman archive
Scroll to Top