By default when your web server does not find an index file (i.e. a file like index.php or index.html), it automatically displays an index page showing the contents of the directory. This could make your site vulnerable to hack attacks by revealing important information needed to exploit a vulnerability in a WordPress plugin, theme, or your server in general. In this article, we will show you how to disable directory browsing in WordPress.

Why You Need to Disable Directory Browsing in WordPress

Directory browsing can be used by hackers to find out if you have any files with known vulnerabilities, so they can take advantage of these files to gain access. For the comprehensive security of our sites, we use Sucuri for WordPress security. They have a simple dashboard which allows us to do this and perform many other WordPress security strengthening steps with in few clicks.

Directory browsing can also be used by other people to look into your files, copy images, find out your directory structure, and other information. This is why it is highly recommended that you turn off directory indexing and browsing.

Video Tutorial

Subscribe to WPBeginner

If you don’t like the video or need more instructions, then continue reading.

To disable directory browsing in WordPress all you need to do is add a single line of code in your WordPress site’s .htaccess file located in the root directory of your website. To edit the .htaccess file you need to connect to your website using an FTP client.

Once connected to your website, you will find a .htaccess file in your site’s root directory. .htaccess is a hidden file, and if you can not find it on your server, you need to make sure that you have enabled your FTP client to show hidden files.

You can edit your .htaccess file by downloading it to your desktop and opening it in a text editor like Notepad. Now at the end of your WordPress generated code in the .htaccess file simply add this line at the bottom:

Options -Indexes

Now save your .htaccess file and upload it back to your server using your FTP client. That’s all you need to do. Directory browsing is now disabled on your WordPress site and people trying to locate a directory index on your website will be redirected to WordPress 404 page.

We hope this article helped you learn how to disable directory browsing in WordPress to make your website more secure. For questions and feedback you can leave a comment below or join us on Twitter.