In this post, I will discuss how to disable directory browsing in WordPress and why it is useful for your WordPress website. WordPress by default has a directory structure and many folders like Index of /wp-includes and /wp-content/uploads are displayed openly to all users. These directories and files should be hidden from all users.
Let’s discuss what is directory browsing and how we can hide it in WordPress.
What is directory browsing?
As the name suggests, by default WordPress uses the directory structure to display files and folders. Users can easily browse through the files and folders of your WordPress website.
For Example, wp-includes/ directory.
Go to any website URL like: http://your-domain-name/wp-includes/
And you will see the entire contents of this directory, something like:
Index of /wp-includes as shown below for a website:
Another example is the wp-content/uploads/ directory.
Go to any website URL like: http://your-domain-name/wp-content/uploads/
And you will see the entire contents of this directory, something like:
Index of wp-content/uploads/ as shown below for a website:
Why you need to disable directory browsing in WordPress?
1) Security of your website: You can clearly see that any user can access your php files, critical directories, codes and files in your website. This clearly gives hackers a lot of ways to browse through your files and folders and may be possibly find vulnerabilities in your WordPress website.
2) Not for any WordPress users: This section is certainly not for any WordPress users including the admins and the moderators. All your readers will be at the front page of the website which are posts and pages. None will ever venture here. So, there’s no point to show this to any user. This section should actually never be visible to anyone.
3) Definitely not for search engines: I don’t search engines want to locate this section of the website. If you have a large website then search engines have to already index a lot of posts and pages of your website. There’s absolutely no need to display this content to the search engines.
4) Does not look professional: These directories don’t look professional at all as compared to your posts and pages. Also, you can’t change the design of these directories to match with with your website.
5) Creates mobile usability issues, errors and warnings in Google Search Console: It’s a good idea to use Google webmaster tools or Google Search Console for your website. It provides you with index status and performance of your website based on many different parameters. In Search Console you can also submit your sitemap file easily so that your website will be quickly and accurately indexed by Google.
Recently for a website we got an email from Google Search Console which read:
New Mobile Usability issues detected for site http://name-of-website.com
To owner of http://name-of-website.com,
Search Console has identified that your site is affected by 3 new Mobile Usability related issues. This means that Mobile Usability may be negatively affected in Google Search results. We encourage you to fix these issues.
Top new issues found, ordered by number of affected pages:
- Clickable elements too close together
- Viewport not set
- Text too small to read
Here’s a screenshot of that email:
When, I logged in to the Google Search Console I saw that the error was for one of the /wp-content/uploads folders.
So, when I disabled the directory browsing the mobile usability issue was fixed for good for all those folders.
Now you know why we must have to disable the directory browsing for WordPress website. Let’s see how to do that.
How to disable directory browsing in WordPress?
To disable directory browsing using .htaccess file, login to your cPanel account if you have cPanel installed from your web host. You can also use any other FTP program like Filezilla to edit the .htaccess file. Here, I will use the cPanel to edit the .htaccess file.
1) Login to your cPanel account.
2) Click on File Manager in cPanel account.
3) Open public_html or root directory of your website.
4) Here you will find the .htaccess file for your website. If you can’t see the .htaccess file, then probably it is hidden. Click on Settings button on the far right side of your cPanel account.
5) In the Preferences window, check option Show Hidden Files (dotfiles) and then click on Save button.
6) Now, you can edit .htaccess file.
7) A simple .htaccess file may look like:
Here’s the screenshot of .htaccess file:
8) Add the following code after the line # END WordPress
9) The updated .htaccess will look like:
Here’s the screenshot of the updated code:
10) Click on Save Changes.
That’s it. You have successfully disabled the directory browsing in your WordPress website.
Now, if anyone visits the /wp-includes and /wp-content/uploads directory they will see the 404 Page Not Found error and the directory structure will now be hidden from all users.
Happy Blogging!