◦ Comprehensive security
◦ 24/7 support
WordPress Guide → Security → Disable Directory
How to disable directory browsing in WordPress
If you’ve ever stumbled across a blank directory listing filled with files on a WordPress site, you’ve seen a major security risk in action. That’s directory browsing—also called directory indexing—and it’s one of the easiest ways attackers can peek into your site’s file structure.
Let’s walk through how to disable it, why it matters, and the different options you have.
What is directory browsing and why is it dangerous?
By default, if a folder on your WordPress server doesn’t have an index file (like index.php or index.html), your web server might display a full list of files in that folder. This is called directory browsing.
That might not sound like a big deal—but it absolutely is. Hackers and bots often scan for open directories because they can:
- View backup files, plugin code, or sensitive data
- Download vulnerable scripts to exploit them locally
- Discover site structure for future attacks
And it’s not just about security. Search engines may index these directories, cluttering your search results with random file listings and damaging your SEO.
How to check if directory browsing is enabled
Before you disable it, you can test whether it’s currently active. Just type in the URL to a folder on your site that doesn’t have an index file. For example:
https://yoursite.com/wp-includes/
If you see a list of files, you have directory browsing enabled. If you see a blank page or a 403 Forbidden error, it’s already disabled.
Method 1: Disable directory browsing using .htaccess
This is the most reliable and direct method, especially for Apache-based servers (which most WordPress hosts use). You’ll need to edit your site’s .htaccess file.
Step-by-step instructions
- Access your .htaccess file You can find this file in the root directory of your WordPress installation. Use an FTP client like FileZilla, or go through your hosting control panel (such as cPanel > File Manager).
- Backup the file Download a copy before making changes. Mistakes in this file can cause site errors.
- Edit the file Open the file in a text editor and scroll to the bottom. Add this line:
Options -Indexes - Save and upload If you’re editing it locally, re-upload the file. If you’re editing it through cPanel, just save.
- Test your site Go back to the folder URL you tested earlier. It should now return a 403 error or blank page instead of a file list.
Important .htaccess notes
- Make sure the .htaccess file has the correct file permissions—usually 644.
- If changes don’t seem to take effect, clear your browser cache or try accessing the folder in an incognito window.
- Some themes or plugins might override .htaccess behavior, so if it’s not working, skip to the plugin method below.
Method 2: Use a plugin to disable directory browsing
If you’re not comfortable editing core files or you want extra security features, plugins are a great alternative.
Recommended plugins
- Sucuri Security: Offers firewall protection, malware scanning, and the option to harden your site by disabling directory browsing (in premium plans).
- iThemes Security: Provides a one-click way to turn off directory listing, along with many other security features.
- Prevent Direct Access: Focuses on file protection and includes tools to control who can access certain directories.
Once installed, these plugins typically include a “Hardening” or “File Permissions” tab where you can enable protection against directory browsing.
Method 3: Block indexing with WordPress settings (not the same, but helpful)
While this doesn’t stop file listing, you can prevent search engines from indexing your whole site or directories.
Go to Settings > Reading in your WordPress dashboard and check the box for “Discourage search engines from indexing this site.” This sends a noindex request in your site’s metadata.
This method won’t stop humans or bots from viewing directory listings—it’s just a polite request to search engines.
Bonus tip: Use server-level tools if you’re not on Apache
If you’re using NGINX instead of Apache, .htaccess changes won’t do anything. You’ll need to update your server config like so:
autoindex off;
This should go inside the location / block of your NGINX config file. If you’re not sure how to do this, contact your host or server admin.
Next steps for disabling directory browsing in WordPress
Disabling directory browsing is one of the simplest but most important steps you can take to protect your WordPress site. It helps block unwanted access to your files and keeps your directory structure private.
If you haven’t done this yet, take 5 minutes to either update your .htaccess file or install a reputable security plugin that includes this feature.
Ready to upgrade your WordPress experience? Professional hosting improves speeds, security, and reliability for a website and a brand that people find engaging and trustworthy.
Don’t want to deal with server management and maintenance? Our fully managed hosting for WordPress is the best in the industry. Our team are not only server IT experts, but WordPress hosting experts as well. Your server couldn’t be in better hands.
Click through below to explore all of our hosting for WordPress options, or chat with a WordPress expert right now to get answers and advice.
Additional resources
Comprehensive guide to securing WordPress with ModSecurity
→
This guide provides a comprehensive overview of how to use ModSecurity to enhance the security of your WordPress site.
WordPress vulnerability scanners →
Learn how a WordPress vulnerability scanner protects your site by detecting and addressing security risks early.
Why security matters for WordPress enterprise hosting
→
Use the blog as your guide to attacks to watch out for, security best practices, and steps to improve the WordPress protection you already have.
Lindsey Miller is the former Partner Manager for Liquid Web Managed WordPress Hosting. She’s been involved in various aspects in the WordPress community for over 7 years and helped start a non-profit teaching kids to code, The Div.