Can Directory Indexing Be Turned Off in WordPress? Full Security Guide

Introduction

If you have ever tried to access a folder on a website and noticed a list of files displayed in your browser, you have witnessed directory indexing in action. It is a simple but surprisingly dangerous feature that many WordPress website owners do not even know exists on their site.

So, can directory indexing be turned off in WordPress? The short and confident answer is yes, absolutely. Not only can it be turned off, but turning it off is something every WordPress site owner should do as part of their basic security setup. Leaving directory indexing enabled is like leaving the front door of your house wide open while you are away. Anyone who walks by can step in and look around.

In this guide, we will explain exactly what directory indexing is, why it is dangerous, how to check if it is currently enabled on your WordPress site, and most importantly, how to disable it using multiple different methods. Whether you are a complete beginner or someone with some technical experience, this guide will walk you through everything you need to know in plain, simple language.

What Is Directory Indexing?

Directory indexing, also called directory listing or directory browsing, is a feature of web servers that automatically displays the contents of a folder when no index file is present inside that folder. In simple terms, it is when a web server shows visitors a clickable list of all the files and subfolders stored in a particular directory on your website.

For example, imagine your WordPress website has a folder called /wp-content/uploads/2024/. Normally, when someone visits that URL in their browser, your website should either show a page from your site or return an error message. But if directory indexing is enabled and there is no index.html or index.php file inside that folder, the web server will instead display a list of every single file in that folder, complete with file names, sizes, and modification dates.

This might seem harmless at first glance, but the consequences can be severe, which we will discuss in detail shortly.

How Directory Indexing Works

Web servers like Apache and Nginx are the engines that power most websites on the internet, including WordPress sites. When your browser sends a request to visit a URL, the web server processes that request and decides what to send back.

Here is what happens step by step:

1. Your browser requests a URL, for example: https://yoursite.com/wp-content/uploads/.
2. The web server looks for an index file in that directory, such as index.html, index.php, or index.htm.
3. If an index file exists, it loads that file and the visitor sees a normal web page.
4. If no index file exists and directory indexing is enabled, the server generates and displays a list of all files and folders inside that directory.
5. If no index file exists and directory indexing is disabled, the server returns a 403 Forbidden error, which is the safe and correct behavior.

WordPress does a decent job of placing index files in many of its directories to prevent this issue, but not every single directory is covered. This leaves gaps that can expose your files to the public.

The Difference Between Apache and Nginx

The two most common web servers used to run WordPress sites are Apache and Nginx. Each handles directory indexing slightly differently, and the method you use to disable it depends on which web server your hosting provider uses.

Apache is the more traditional and widely used web server. It supports a special configuration file called .htaccess, which allows you to control server behavior on a per-directory basis. Most shared hosting environments use Apache, making the .htaccess method the most common solution for WordPress users.

Nginx is a newer, faster web server used by many modern hosting providers. It does not support .htaccess files. Instead, it uses a central configuration file that only server administrators can edit. If your site runs on Nginx, you will likely need to contact your hosting provider or use a security plugin.

If you are unsure which web server your host uses, you can often find this information in your hosting control panel, or you can ask your hosting provider’s support team.

Why Directory Indexing Is a Security Risk

Now that you understand what directory indexing is, let us talk about why it is considered a serious security threat. This is the heart of the matter, and understanding these risks will motivate you to take action.

1. It Exposes Your Website’s File Structure

When a hacker wants to attack a website, the first thing they do is gather information about it. This process is called reconnaissance. Directory indexing makes this job incredibly easy by handing attackers a detailed map of your website’s internal structure.

With directory indexing enabled, a malicious visitor can browse through your folders and see exactly which plugins you are using, which themes are installed, which version of each plugin is running, and where your media files and uploads are stored. Armed with this information, attackers can look up known security vulnerabilities in specific plugin versions and craft targeted attacks against your site.

2. It Can Leak Sensitive Files

Your WordPress site may contain files that were never meant to be seen by the public. These could include backup files, log files, configuration files, or exported data files that someone accidentally left in an accessible folder. With directory indexing enabled, these files can be discovered and downloaded by anyone who stumbles upon them.

For instance, if a developer uploaded a database backup file to the server for temporary storage and forgot to remove it, an attacker with directory access could find and download that file. A database backup often contains usernames, hashed passwords, email addresses, and in some cases, even payment information or private user data.

3. It Exposes Your Theme and Plugin Code

Professional WordPress themes and premium plugins are often sold commercially. If your site has directory indexing enabled, visitors may be able to browse your theme files and download your theme’s or plugin’s PHP, CSS, and JavaScript source code. This violates the terms of use of these products and can cause significant financial and legal issues.

Beyond the commercial implications, exposing your theme code also reveals exactly how your site is structured, which functions it uses, and where potential weaknesses might exist in custom code.

4. It Provides Reconnaissance for Brute Force Attacks

By browsing your WordPress directories, an attacker can identify the exact version of WordPress you are running, which can help them launch targeted brute force attacks or exploit known vulnerabilities in that specific version. Keeping this information hidden is a key part of WordPress security hardening.

5. It Violates User Privacy

If your uploads directory is publicly browsable, anyone can potentially see every image, document, or file that has ever been uploaded to your site. For websites that handle client information, user-submitted documents, private images, or sensitive records, this is a serious privacy violation that could also lead to legal consequences under regulations like GDPR.

Important Note: According to widely accepted web security best practices, directory listing is considered an information disclosure vulnerability. It is listed in the OWASP (Open Web Application Security Project) guidelines as a risk that should be addressed on all web servers.

How to Check If Directory Indexing Is Enabled on Your WordPress Site

Before you go ahead and disable directory indexing, you should first check whether it is actually enabled on your site. It is possible that your hosting provider has already disabled it by default, or that your current security setup has already taken care of it.

Method 1: Try to Browse a Directory Directly

The easiest way to check is to try visiting a directory URL in your browser. Here are a few common WordPress directories you can test:

• https://yoursite.com/wp-content/uploads/
• https://yoursite.com/wp-content/plugins/
• https://yoursite.com/wp-includes/

Replace yoursite.com with your actual domain name. When you visit one of these URLs, one of three things will happen:

6. You see a file listing with names of files and folders. This means directory indexing IS enabled and you need to disable it immediately.
7. You see a 403 Forbidden error message. This is the correct behavior and means directory indexing is already disabled.
8. You see a blank white page or are redirected to your homepage. This could mean WordPress itself is blocking access, which is also acceptable.

Method 2: Check Your .htaccess File

If your site runs on Apache, you can also check your .htaccess file directly. Connect to your website via FTP or your hosting file manager and open the .htaccess file in your WordPress root directory. Look for any line that contains Options -Indexes or Options All -Indexes. If you see this, directory indexing is already disabled. If you do not see it, you will need to add it.

Method 3: Use an Online Security Scanner

There are several free online tools and WordPress security plugins that can automatically scan your site for common vulnerabilities, including directory indexing. Tools like Sucuri SiteCheck or WPScan can quickly report whether directory listing is enabled on your site.

How to Turn Off Directory Indexing in WordPress

Great news: disabling directory indexing in WordPress is not complicated at all. There are several methods you can use depending on your technical comfort level, your hosting environment, and your preferences. We will cover all the main methods below.

Method 1: Edit the .htaccess File (Recommended for Apache Users)

This is the most direct and effective method for WordPress sites hosted on Apache web servers. The .htaccess file is a powerful configuration file that controls many aspects of how your web server behaves. Adding just one line to this file will disable directory indexing across your entire WordPress installation.

Step-by-Step Instructions

9. Log in to your WordPress hosting control panel (cPanel, Plesk, or similar).
10. Open the File Manager tool, or connect to your server using an FTP client like FileZilla.
11. Navigate to your WordPress root directory. This is typically the public_html folder or the folder where WordPress is installed.
12. Look for a file called .htaccess. Note that this file may be hidden by default. In cPanel File Manager, click Settings and enable the option to show hidden files. In FileZilla, go to Server and select Force showing hidden files.
13. Right-click on the .htaccess file and choose to edit it.
14. Before making any changes, download a backup copy of the file.
15. Add the following line to the file. You can add it anywhere, but placing it near the top is a good practice:

Options -Indexes

16. Save the file and close the editor.
17. Test your site by visiting one of the directory URLs mentioned earlier. You should now see a 403 Forbidden error instead of a file listing.

Pro Tip: If you ever edit your .htaccess file through WordPress settings (like when changing your permalink structure), WordPress may rewrite the file. Your Options -Indexes line will be preserved as long as it is placed outside the # BEGIN WordPress and # END WordPress comment block.

What Your .htaccess File Should Look Like

Here is an example of what a properly configured .htaccess file might look like with directory indexing disabled:

Options -Indexes

# BEGIN WordPress

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^index\.php$ – [L]

RewriteCond %{REQUEST_FILENAME} !-f

RewriteCond %{REQUEST_FILENAME} !-d

RewriteRule . /index.php [L]

</IfModule>

# END WordPress

The Options -Indexes line sits above the WordPress block, so it will not be overwritten when WordPress updates the permalink configuration.

Method 2: Use a WordPress Security Plugin

If you are not comfortable editing server files directly, using a WordPress security plugin is an excellent alternative. Many popular security plugins include an option to disable directory indexing with just a click of a button.

Wordfence Security

Wordfence is one of the most popular WordPress security plugins available. While it is primarily known for its firewall and malware scanning features, it also provides options for hardening your site against common vulnerabilities. When you run a site scan with Wordfence, it will flag directory indexing as an issue and guide you toward fixing it.

Sucuri Security

Sucuri Security is another highly trusted security plugin. It includes a hardening feature that automatically adds the necessary rules to disable directory browsing on your site. Simply navigate to the Sucuri Security settings, click on Hardening, and enable the option to disable directory browsing.

iThemes Security (now Solid Security)

iThemes Security, rebranded as Solid Security, includes a file and directory protection feature. Under its settings, you can enable protection that prevents directory listing and adds other security enhancements to your site automatically.

All In One WP Security and Firewall

This free plugin has a dedicated section called File System Security where you can review file and directory permissions and enable options to prevent directory listing. It is beginner-friendly and provides explanations for each option.

Method 3: Contact Your Hosting Provider

If your site runs on Nginx, or if you do not have access to edit your .htaccess file or install plugins, the simplest solution is to contact your web hosting provider and ask them to disable directory indexing for your account.

Most reputable hosting providers will do this quickly, often through their support ticketing system. When you reach out to them, simply say something like: I would like to disable directory listing or directory indexing for my WordPress site. Can you please help me with this?

Many quality hosting companies disable directory indexing by default across all their servers as a standard security measure. If your host does not offer this, it may be worth considering a switch to a more security-conscious hosting provider.

Method 4: Add Index Files to Directories

Another way to prevent directory listing is to add a blank index.php file to any directory that does not already have one. When the web server finds an index file, it will load that file instead of displaying a directory listing. A blank index.php file effectively shows a blank page, which is much better than exposing your file list.

To implement this, you can create a file called index.php with the following content and upload it to directories that are at risk:

<?php // Silence is golden.

This approach is a secondary measure and is best used in combination with the .htaccess method rather than as a standalone solution. WordPress itself actually uses this technique in some of its own directories.

Method 5: Server-Level Configuration for Nginx

If your hosting environment uses Nginx, directory indexing is controlled in the server’s main configuration file. You or your server administrator would need to find the relevant server block in the Nginx configuration and ensure that the autoindex directive is set to off.

The Nginx configuration change looks like this:

server {

    …

    autoindex off;

    …

}

This setting tells Nginx not to automatically generate directory listings. Unlike Apache, this change must be made by someone with root or administrative access to the server, which is why it is typically handled by the hosting provider or a server administrator.

Verifying That Directory Indexing Has Been Disabled

After applying any of the methods above, it is important to verify that directory indexing has actually been turned off successfully. Do not skip this step. Sometimes configuration changes do not take effect immediately, or there may be a mistake in the code you added.

Test by Visiting Directory URLs

Go back to your browser and try visiting the directory URLs you tested earlier. For example:

• https://yoursite.com/wp-content/uploads/
• https://yoursite.com/wp-content/plugins/

If you see a 403 Forbidden error or a blank page, the protection is working correctly. If you still see a list of files, double-check your .htaccess file for typos and make sure the changes were saved properly.

Check Multiple Directories

Do not just test one directory. Check several different directories within your WordPress installation to confirm that the protection applies universally. Particularly important directories to test include the uploads folder, the plugins folder, and the themes folder.

Use a Security Scanner

Run another scan with a security plugin like Wordfence or Sucuri to confirm that directory indexing is no longer flagged as a vulnerability. These tools are quite thorough and will give you peace of mind that the issue has been resolved.

Other Important WordPress Security Measures to Pair With This Fix

Disabling directory indexing is an important step, but it is just one part of a comprehensive WordPress security strategy. Once you have taken care of this, here are additional steps you should take to keep your site secure.

1. Keep WordPress, Plugins, and Themes Updated

The number one cause of WordPress site hacks is outdated software. Plugin and theme developers regularly release updates that fix security vulnerabilities. Make it a habit to log in to your WordPress dashboard at least once a week and apply all available updates. You can also enable automatic updates for minor WordPress core releases.

2. Use Strong and Unique Passwords

Weak passwords are an open invitation for attackers using brute force tools. Make sure that your WordPress admin account, database password, FTP account, and hosting control panel all use strong, unique passwords that are at least 16 characters long and include a mix of letters, numbers, and symbols. Use a password manager to keep track of them.

3. Install a Security Plugin

As mentioned earlier, security plugins like Wordfence, Sucuri, or Solid Security provide multiple layers of protection including firewall rules, malware scanning, login protection, and more. Installing and properly configuring one of these plugins is one of the best investments you can make in your site’s security.

4. Enable Two-Factor Authentication

Two-factor authentication (2FA) adds an extra layer of protection to your login process. Even if an attacker manages to guess your password, they would still need access to your second factor, usually a time-sensitive code generated by an app on your phone. Many security plugins include built-in 2FA functionality.

5. Limit Login Attempts

By default, WordPress allows unlimited login attempts, which makes brute force attacks easy. You should install a plugin or use your security plugin to limit the number of failed login attempts allowed before an IP address is temporarily blocked.

6. Change the WordPress Login URL

The default WordPress login page is located at /wp-admin or /wp-login.php, and every automated hacking tool on the internet knows this. Changing your login URL to something custom and non-obvious significantly reduces the volume of automated attacks your site receives. Plugins like WPS Hide Login make this easy to do without any coding.

7. Disable XML-RPC If Not Needed

XML-RPC is a feature in WordPress that allows remote applications to communicate with your site. While it has legitimate uses, it is also frequently abused by hackers to launch brute force attacks and DDoS attacks. If you do not use any mobile apps or third-party services that require XML-RPC, disable it using your security plugin or by adding a rule to your .htaccess file.

8. Set Correct File and Folder Permissions

WordPress files and folders should have the correct permission settings to prevent unauthorized access. As a general rule, directories should be set to 755 and files to 644. Your wp-config.php file, which contains your database credentials, should ideally be set to 600 or 640 to restrict access even further. You can check and change these permissions through your hosting file manager or via FTP.

9. Use SSL/HTTPS

If your site does not already use HTTPS, this is a critical step. SSL certificates encrypt data that passes between your visitors and your server, preventing it from being intercepted. Most hosting providers now offer free SSL certificates through Let’s Encrypt. Once installed, make sure your entire site redirects from HTTP to HTTPS.

10. Take Regular Backups

No security setup is perfect. Despite all your precautions, something could still go wrong. Regular backups ensure that even in the worst case scenario, you can restore your site quickly. Use a plugin like UpdraftPlus or BackupBuddy to schedule automatic backups, and make sure your backups are stored in a remote location such as Google Drive, Dropbox, or Amazon S3, not just on your server.

Common Questions About Directory Indexing in WordPress

Will Disabling Directory Indexing Break My Website?

No. Disabling directory indexing does not affect the way your website works for visitors in any way. It only changes what happens when someone tries to access a folder URL directly. Your pages, posts, images, and all front-end content will continue to work perfectly. The only change visitors will notice is that browsing your folder structure directly will now show a 403 error instead of a file list, which is exactly what you want.

Does WordPress Disable Directory Indexing by Default?

WordPress takes some precautions, such as placing blank index.php files in certain directories like wp-content and wp-content/plugins. However, WordPress does not fully disable directory indexing at the server level. The wp-content/uploads directory, for example, does not have this protection by default, which is a common vulnerability. This is why you need to take additional steps yourself.

What If I Do Not Have Access to the .htaccess File?

If you are on a managed hosting plan or a platform that does not give you access to server configuration files, your best options are to use a security plugin that handles this for you, or to contact your hosting provider and ask them to disable directory listing on your account.

Can I Disable Directory Indexing for Just One Folder?

Yes, you can. While it makes sense to disable it globally for the entire WordPress installation, you can also place an .htaccess file with the Options -Indexes directive inside a specific subfolder if you only want to protect that directory. This gives you granular control. However, applying the rule globally is generally the better and safer approach.

What Is the Difference Between 403 Forbidden and 404 Not Found?

A 403 Forbidden error means the server understood the request but is refusing to fulfill it due to access restrictions. This is exactly what you should see when someone tries to browse a directory on your site. A 404 Not Found error means the requested resource does not exist at all. When you disable directory indexing, you will get 403 errors for directory URLs, not 404 errors, and that is perfectly correct behavior.

How Often Should I Check if Directory Indexing Is Still Disabled?

Once you have properly disabled it using the .htaccess method, it will remain disabled unless someone changes or overwrites the file. It is a good practice to audit your .htaccess file every few months and whenever you make major changes to your hosting setup, migrate your site, or restore from a backup to ensure the protection is still in place.

Understanding WordPress Directory Structure

To fully appreciate why directory indexing protection is so important, it helps to understand how WordPress organizes its files and folders. Knowing your directory structure also helps you identify which directories are most sensitive and need the most protection.

The WordPress Root Directory

The root directory is the main folder where WordPress is installed. It contains core WordPress files like wp-login.php, wp-config.php, and wp-cron.php, as well as important folders. The wp-config.php file is particularly sensitive because it contains your database name, username, password, and secret keys. While this file is not directly browsable via directory indexing since it is a file and not a folder, protecting its parent directory is still important.

The wp-content Folder

This is arguably the most important directory to protect with directory indexing disabled. The wp-content folder contains all of your themes, plugins, and uploaded media files. It is organized into three main subdirectories:

• themes: Contains all installed WordPress themes. Exposing this allows anyone to browse your theme files and code.
• plugins: Contains all installed WordPress plugins. Exposing this reveals exactly which plugins you use and their versions.
• uploads: Contains all media and files uploaded to your site. This is the most sensitive because it may contain images, PDFs, documents, and other user or business files.

The wp-includes Folder

The wp-includes directory contains WordPress core files that power the platform’s functionality. While these files are part of the public WordPress software, exposing them still reveals information about your WordPress version and configuration that attackers can use.

The wp-admin Folder

The wp-admin folder contains the files for the WordPress administration area. This folder should be additionally protected with login restrictions, IP whitelisting, and two-factor authentication. Some advanced security setups also add HTTP authentication to this directory for an extra layer of protection.

Real-World Consequences of Leaving Directory Indexing Enabled

To drive home the importance of this security fix, let us look at some real-world scenarios where directory indexing has caused problems for website owners.

Scenario 1: Competitor Intelligence Gathering

Imagine you run an e-commerce store on WordPress. Your competitor discovers that your uploads directory is browsable. They spend an hour going through your folder structure and find product images that you have not yet published, pricing spreadsheets that were uploaded for reference, and details about upcoming products. They use this information to undercut your pricing before your launch. This kind of competitive intelligence gathering is entirely possible when directory indexing is left on.

Scenario 2: Plugin Version Exploitation

A security researcher (or a hacker) visits your plugins directory and sees that you are running an outdated version of a popular contact form plugin. They know that this version has a known SQL injection vulnerability. Using this information, they craft a targeted attack and gain unauthorized access to your website database. The entire attack was made possible because directory indexing revealed which plugin version you were running.

Scenario 3: Accidental Backup File Exposure

A developer working on your site creates a database export file and uploads it temporarily to your server to move it between environments. They forget to delete it. Because directory indexing is enabled, a malicious crawler finds this file, downloads it, and now has a complete copy of your database including customer names, email addresses, and hashed passwords. This constitutes a data breach with potential legal and financial consequences.

Scenario 4: Theme Source Code Theft

You purchased a premium WordPress theme for several hundred dollars. Because your themes directory is publicly browsable, another website owner discovers your theme files, downloads the PHP and CSS files, and sets up the same theme on their site without paying for it. You have now unwittingly facilitated software piracy.

These scenarios illustrate that the consequences of leaving directory indexing enabled are not just theoretical. They represent genuine risks that affect real websites every day.

Advanced .htaccess Security Rules for WordPress

Since we are already talking about the .htaccess file, it is worth sharing a few additional security rules that work well alongside the directory indexing fix. These rules add more layers of protection to your WordPress site without requiring any plugins.

Protect wp-config.php

Your wp-config.php file is one of the most critical files on your server. Add this rule to your .htaccess to block all external access to it:

<files wp-config.php>

order allow,deny

deny from all

</files>

Block Access to .htaccess Itself

You should also protect the .htaccess file itself from being read by browsers:

<files .htaccess>

order allow,deny

deny from all

</files>

Disable Script Execution in Uploads Directory

Even with directory indexing disabled, someone might find a way to upload a malicious PHP file to your uploads directory and execute it remotely. You can prevent this by disabling PHP execution in the uploads folder. Create a new .htaccess file inside the wp-content/uploads directory with the following content:

<Files *.php>

deny from all

</Files>

This ensures that even if a PHP file is somehow uploaded to your uploads folder, it cannot be executed by visiting its URL.

Block Access to Sensitive File Types

You can also add rules to block direct access to certain file types that should never be publicly accessible:

<FilesMatch “\.(sql|log|bak|config|ini)$”>

order allow,deny

deny from all

</FilesMatch>

This prevents anyone from directly downloading SQL dumps, log files, backup files, or configuration files even if they somehow know the exact URL.

Conclusion

So, can directory indexing be turned off in WordPress? Absolutely, and doing so should be one of your very first security measures when setting up or maintaining a WordPress website. The process is simple, takes only a few minutes, and provides meaningful protection against a range of real-world threats.

To recap what we have covered in this guide: Directory indexing is a web server feature that displays folder contents when no index file is present. It is a security vulnerability because it exposes your file structure, reveals plugin and theme information, and can leak sensitive files to the public. You can check whether it is enabled by browsing directory URLs in your browser. The most effective way to disable it on Apache servers is to add Options -Indexes to your .htaccess file. Security plugins like Wordfence, Sucuri, and Solid Security can also handle this for you. Nginx users should contact their hosting provider. After disabling it, verify that the change worked by testing directory URLs. Disabling directory indexing should be combined with other security measures for a comprehensive security posture.

Take action today. Log in to your site, check whether directory indexing is enabled, and follow the steps in this guide to shut it down. Your website, your users, and your data will be better protected as a result.

WordPress security is not a one-time task. It is an ongoing commitment to keeping your site updated, monitored, and properly configured. But every journey begins with a single step, and disabling directory indexing is an excellent place to start.

About the Author

Jay Patel is the Founder of XSquareSEO, a full-service SEO agency with experience in on-page SEO, eCommerce SEO, link building, technical SEO, SaaS SEO, and local SEO. For more information, feel free to contact us. 

Explore More Guides

WP Keywords for Ranking
SQLMap WordPress Security
Install Apps on WordPress
WP to Static Site Plugin
Splunk WordPress Integration
WordPress Status Check
Custom Robots.txt WP
Add Tags WordPress Site
SIEM Monitoring WordPress
Sitewide Google Reviews WP