site security

How to Disable Directory Browsing in WordPress


Directory browsing in WordPress can pose significant security risks if left enabled. By default, WordPress allows users to view the contents of directories on your website, potentially exposing sensitive information.

To safeguard your website and protect your data, it’s crucial to disable directory browsing. In this article, we will guide you through the process of disabling directory browsing in WordPress.

Understanding the Risks of Directory Browsing

Directory browsing allows anyone to explore the files and folders on your website’s server. This feature can be exploited by hackers to gain insights into your website’s structure, locate vulnerable files, or access sensitive data.

When a visitor accesses your website, their request is processed by your web server. Normally, the server provides the visitor’s browser with an index file, like index.html.

However, if the server cannot find an index file, it may display all the files and folders in the requested directory instead.

This functionality, known as directory browsing, is often enabled by default. If you have ever visited a website and encountered a list of files and folders rather than a webpage, you have witnessed directory browsing in action.

Moreover, the issue is that hackers can exploit directory browsing to view the files that compose your website, including the themes and plugins you utilize.

If any of these themes or plugins have known vulnerabilities, hackers can exploit this knowledge to gain control of your WordPress blog or website, pilfer your data, or carry out other malicious activities.

Furthermore, attackers may also use directory browsing to access confidential information stored within your files and folders. They might even duplicate your website’s contents, including valuable content that you typically charge for, such as ebook downloads or online courses.

Disabling directory browsing strengthens your website’s security by limiting the information available to potential attackers.

How to Check if Directory Browsing is Enabled in WordPress

To determine if directory browsing is enabled for your WordPress website, you can easily check by visiting the /wp-includes/ folder link in this format:

Moreover, please remember to replace “” with the URL of your own website. If you receive a 403 Forbidden or a similar message, it indicates that directory browsing is already disabled on your WordPress website.

If, on the other hand, you see a list of files and folders like the screenshot below, it means that directory browsing is enabled for your website.

Directory Browsing

Since enabling directory browsing can make your website more susceptible to attacks, it is generally recommended to block directory browsing in WordPress.

Step-by-Step Guide to Disable Directory Browsing

To disable directory browsing, follow these simple steps:

Step 1: Access your website’s root directory

Using an FTP client or your web hosting control panel, access your website’s root directory. Typically, this directory is named public_html or www. If you are unsure, consult your hosting provider’s documentation or support.

In examples below, I will be using WinSCP FTP client to access the site’s files.

Step 2: Locate the .htaccess file

Within the root directory, locate the .htaccess file.


This file controls various aspects of your website’s functionality and can be edited to disable directory browsing.

Step 3: Edit the .htaccess file

Using a text editor, open the .htaccess file. Insert the following code snippet at the end of the file:

Options -Indexes


Save the changes and close the file.

Step 4: Verify the changes

After saving the modified .htaccess file, navigate to your website and attempt to access a directory that previously allowed browsing.

Directory Browsing

If successful, you should see a “403 Forbidden” of “Page Not Found” error message, indicating that directory browsing has been disabled. Example above.


Disabling directory browsing, you reduce the risk of exposing sensitive information and potential security vulnerabilities on your web server. Always remember to follow best security practices and stay updated with the latest web server software recommendations and patches.

By following the step-by-step guide outlined in this article, you can easily disable directory browsing and enhance the overall security of your WordPress website.

Finally, you may want to speed up your WordPress site too, read this article to learn more!

Featured Photo by FLY:D on Unsplash