Have you ever visited a website URL and, instead of seeing a webpage, you saw a raw list of files and folders that looked like a file manager?
This is called Directory Browsing (or Directory Indexing).
While it might seem harmless—or even convenient for developers—leaving directory browsing enabled on a production WordPress site is a significant security lapse. It provides attackers with a complete map of your website’s structure, making their reconnaissance phase much easier.
In this guide, we’ll explain exactly why directory browsing is dangerous and provide the simple code snippets needed to disable it on Apache and Nginx servers.
What is Directory Browsing?
Web servers like Apache and Nginx are configured to look for a “default” file when a user visits a directory URL (e.g., yoursite.com/wp-content/uploads/). Typically, they look for:
index.phpindex.htmldefault.htm
If none of these files exist in the folder, and Directory Browsing is enabled, the server will automatically generate an HTML page listing every single file inside that directory.
The Security Risk: Information Disclosure
Directory browsing is classified as an Information Disclosure vulnerability. It doesn’t give hackers direct access to your database, but it gives them the information they need to plan an attack.
Here is what an attacker can find if directory browsing is left on:
1. Identifying Vulnerable Plugins
By browsing /wp-content/plugins/, an attacker can see exactly which plugins you have installed. They can look for folder names of abandoned or vulnerable plugins that you might have disabled but not deleted.
2. Finding Sensitive Backups
Admins often create quick backups before editing files (e.g., style.css.bak or header.php.old). These files are usually hidden from the public eye. But with directory browsing, they appear right in the list, allowing anyone to download and analyze your custom code.
3. Exposing Media Uploads
Browsing /wp-content/uploads/ allows anyone to scrape your entire media library, including private documents or unlinked images you thought were “hidden.”
4. Revealing Theme Structure
Browsing /wp-content/themes/ helps attackers understand your site’s architecture, including child themes and custom templates.
FunSentry’s Approach:
When you run a scan with FunSentry, we actively test your wp-includes, wp-content/uploads, and plugin directories to see if they return a directory listing. If they do, we flag this as a “Medium” severity issue that needs immediate fixing.
How to Check if You Are Vulnerable
The check is simple. Open your browser and try to access a folder that usually doesn’t have an index file, such as:
https://yoursite.com/wp-content/uploads/https://yoursite.com/wp-includes/
The Bad Result:
You see a page titled “Index of /wp-content/uploads” with a list of Year/Month folders. This means you are vulnerable.
The Good Result:
You see a “403 Forbidden” error or a completely blank white page. This means your server is correctly configured to block listing requests.
Method 1: Disable Directory Browsing via .htaccess (Recommended for Apache)
If your WordPress site runs on Apache or LiteSpeed (which is most common for shared hosting), you can fix this in seconds using the .htaccess file.
- Connect to your site via FTP or File Manager.
- Locate the
.htaccessfile in your root directory (public_html). - Add the following line at the very bottom of the file:
Apache
# Disable Directory Browsing
Options -Indexes
What this does:
The - sign tells Apache to disable the Indexes feature. If a user visits a folder without an index file, Apache will now return a 403 Forbidden error instead of listing the files.
Method 2: Disable Directory Browsing in Nginx
If you are using a VPS or managed hosting with Nginx, you need to update your server block configuration (usually found in /etc/nginx/sites-available/yoursite).
Add or update the autoindex directive inside your location block:
Nginx
server {
# ... existing configuration ...
location / {
# ... existing configuration ...
autoindex off;
}
# Optional: Explicitly block uploads folder listing
location /wp-content/uploads/ {
autoindex off;
}
}
After saving the file, restart Nginx:
sudo service nginx restart
Method 3: The “Empty index.php” Strategy
WordPress actually attempts to handle this natively. If you look inside standard WordPress folders, you will often see a file named index.php that contains nothing but:
PHP
<?php
// Silence is golden.
This file exists solely to prevent directory browsing. If the server loads this file, it shows a blank page (“Silence”) instead of a file list.
Why this isn’t enough:
- Theme and plugin developers often forget to include this empty
index.phpin their subfolders. - If you create a custom folder (e.g.,
/private-files/), it won’t have this file unless you add it manually.
Relying on index.php files is a “soft” fix. The “hard” fix (using .htaccess or Nginx config) is much more secure because it applies globally to every folder on your server.
Summary Checklist
| Method | Effectiveness | Difficulty | Notes |
.htaccess (Options -Indexes) | ⭐⭐⭐⭐⭐ (High) | Easy | Best for 90% of WP sites. Global protection. |
Nginx (autoindex off) | ⭐⭐⭐⭐⭐ (High) | Medium | Requires server root access. |
Empty index.php | ⭐⭐ (Low) | Tedious | Easy to miss folders. Hard to maintain. |
| cPanel “Indexes” Tool | ⭐⭐⭐⭐ (High) | Easy | Good visual interface for beginners. |
Don’t let hackers map your website. Directory browsing is a “convenience” feature that has no place on a production server.
Is your site exposing its file structure?
Run a free security scan at FunSentry. Our scanner checks your directory permissions and alerts you if sensitive file lists are public. Secure your site structure today.