How to Disable Directory Browsing in WordPress
Table of Contents
- Best WordPress Hosting
- What Is Directory Browsing?
- Why Is Directory Browsing a Security Risk?
- 1. Unintended File Exposure
- 2. Easier Path for Attacks
- 3. Media and Content Theft
- 4. Accidental Data Leaks
- 5. Professionalism and Privacy
- How to Check if Directory Browsing Is Enabled
- How to Disable Directory Browsing in WordPress
- Method 1: Disable Directory Browsing Using .htaccess (For Apache or LiteSpeed)
- Method 2 : Disable Directory Browsing in Nginx
- Final Words
Reading Time: 4 min, 3 sec
If you run a WordPress website, you might not realize that your web server could be revealing more information than you intend. When directory browsing (also called directory listing) is enabled, anyone can see the contents of your site’s folders just by typing the right URL in their browser.
For example, visiting something like:
Best WordPress Hosting
Bluehost is one of the best and secure WordPress hosting providerhttps://example.com/wp-content/uploads/
could show a list of every image, PDF, or file stored in that folder. While this may seem harmless at first, it can expose sensitive data and make it easier for attackers or scrapers to explore your website’s internal structure.
In this guide, I will explain what directory browsing is, why you should disable it, and the easiest ways to turn it off in WordPress.
What Is Directory Browsing?
Directory browsing is a web server feature that allows visitors to see a list of files inside a folder when there is no index file (like index.php or index.html).
For example, if a folder contains:
/images/
photo1.jpg
logo.png
banner.jpg
then a visitor could view all these files directly in the browser if directory browsing is enabled.
This might not sound like a big issue, but it gives away valuable information about your website’s structure, themes, plugins, and uploaded files.
Why Is Directory Browsing a Security Risk?
Even if your website only publishes articles or images, leaving directory browsing enabled can create unnecessary risks.
1. Unintended File Exposure
Sometimes, leftover or temporary files like backups, logs, or test scripts may exist inside folders. With directory browsing enabled, these files can be discovered and downloaded by anyone.
2. Easier Path for Attacks
Knowing your exact folder structure, plugin names, or theme files can help attackers target known vulnerabilities or plan more advanced exploits like LFI (Local File Inclusion) or RCE (Remote Code Execution).
3. Media and Content Theft
If your uploads folder is publicly accessible, anyone can easily download all your media files, PDFs, or videos in bulk.
4. Accidental Data Leaks
If a spreadsheet or export file containing personal or business data is uploaded by mistake, directory listing can make it publicly visible.
5. Professionalism and Privacy
Even if no sensitive data exists, it looks unprofessional for a website to display raw folder listings. Disabling directory browsing is part of basic website hardening.
How to Check if Directory Browsing Is Enabled
You can quickly test this by visiting one of your WordPress directories, for example:
https://yourdomain.com/wp-content/uploads/
If you see a list of files and folders, directory browsing is enabled.
If you see a blank page or a “403 Forbidden” message, it is already disabled — which is good.
How to Disable Directory Browsing in WordPress
The good news is that disabling directory browsing is simple and can be done in a few minutes. Depending on your server type, you can do it using .htaccess or through your hosting control panel.
Method 1: Disable Directory Browsing Using .htaccess (For Apache or LiteSpeed)
Most WordPress websites are hosted on Apache or LiteSpeed servers, and both use an .htaccess file for configuration.
You can use an FTP client (like FileZilla) or your hosting file manager to open your website root directory (usually /public_html/). here, locate the Locate the .htaccess File. This file is usually in the root of your WordPress installation, alongside wp-config.php. If you do not see it, enable “Show Hidden Files””in your file manager.
Add the following line at the end of your .htaccess file:
Options -IndexesSave the changes and upload the file back to your server.
Visit https://yourdomain.com/wp-content/uploads/.
You should now see a “403 Forbidden” or “Access Denied” message.
That means directory browsing is disabled successfully.
Method 2 : Disable Directory Browsing in Nginx
If your website is hosted on an Nginx server, .htaccess will not work because Nginx uses a different configuration format.
You will need to edit your site’s configuration file (usually found in /etc/nginx/sites-available/yourdomain.com).
Open the configuration file and Look for a block that starts with:
server {
...
}Add the following line inside the server block:
autoindex off;Save and reload Nginx by using follow comman
sudo systemctl reload nginxOnce done, directory listing will be disabled for your entire website.
Wrap Up
Final Words
Disabling directory browsing in WordPress is one of those small but essential steps every website owner should take. Even if you do not store sensitive data, keeping your directory structure private is a smart move.
It prevents content scraping, hides internal paths from attackers, and ensures your site looks professional and secure.
Take a few minutes to add the Options -Indexes rule or turn off indexing in your hosting panel. Once done, your WordPress website will be more secure and protected from unwanted snooping.
Written by Deepanker
Deepanker Verma is an experienced WordPress developer who has been working on WordPress for more than 12 years. On TheWPGuides, he writes about WordPress, WordPress development, and WordPress plugins.
