Disable Directory Browsing Of Website Using .htaccess
If you host your website or wordpress blog on Apache web server you can disable Apache directory listing by using htaccess directory listing options. Usually Apache Web Server display directory content if there is no index files in that directory. Let us discuss how to disable directory browsing by adding commands in htaccess file.
Before moving to the solution let us see why directory listing is a security threat in certain cases. There are many sites for example many websites that lists files in a directory if an index file is missing in that directory. This may be useful in some cases and in other cases it may attract security issues like exposing directory structure and file vulnerabilities to hackers and other attackers. Also it may expose the your project or similar content to general public which you don’t want to. So disabling directory listing prevents others from surveying your site for vulnerabilities.
In the case of wordpress directory Listing may expose your wordpress installation details like version and may be used to attack using known vulnerabilities.
If you are not familiar with the .htaccess file then you can go through the below posts to know more about it.
- .htaccess Tutorial -A guide and .htaccess tricks and tips
- How to create and use .htaccess file? Common usage and risks
- Password Protecting website Pages and Directories using .htaccess
- Block IP Address of The Spammer Using .htaccess to Block Spam
How to Check whther the directory listing enabled or disabled
It is very easy to verify the directory listing is enabled or not. If your website platform is wordpress just try to access the the URL as below.
” http://yourdomain/wp-includes/ ” where “yourdomain” is your website or blog’s domain name. If the browser lists the files under the folder then the directory listing is enabled for your wbebsite. If you get a page as seen below with “403 Permission Denied” error or a blank page indicates that the directory listing is disabled.
How To Disable Directory Listing using .htaccess ?
You can disable or prevent directory listing of website using the configuration in .htaccess file. To do this your website must be on an Apache Web Server and your web host must have enabled .htaccess server overrides.
You can edit your web server .htaccess file to add command to disable directory listing by following the below steps.
Find and edit existing .htaccess file or create a new one
- Connect to your website using an FTP or SFTP software. Go to the top web directory of your sitw and look for a file called “.htaccess” (Enable hidden file view). Usually the top directory will be “htpdocs” or “public_html“.
- Alternate approach is by loggging into your website control panel (cPanel or similar). Browse the top level directory and find the “.htaccess” file.
- If the “.htaccess” file is not available you can create a new one and upload to the top level directory. Open any text editor and create a new file and save it as “.htaccess”. Remember that the file name is empty here. The extension is .htaccess.
- If the file is available take a backup of the file before editing.
Disable directory listing
- Add the following lines to the end of your .htaccess file.
# Disable directory listing Options -Indexes
The first line is a comment and the second line is the command to disable directory listing. This command will prevent Apache “mod_autoindex” from listing the directory content if no DirectoryIndex (e.g., index.html) in that directory.
Save the file and upload to the top directory (“htpdocs” or “public_html“) of your website.
Once uploaded check your website again to make sure that your edit didn’t create any other issues.
Access the ” http://yourdomain/wp-includes/ ” (change “yourdomain” with your webite name) directory as mentioned above and see whether the browser lists the files under the directory or returns the “403 Permission Denied” error. If it is the 403 error message then you successfully disabled the directory listing of your website.