How to Disable Directory Browsing in WordPress

Do you want to disable directory browsing in WordPress? This article will show you the exact steps required to disable them.

Several users often overlook the importance of disabling directory browsing, which can lead to further privacy, security, and even SEO issues. This can even result in a poor user experience for your website visitors. So it is essential to disable directory browsing.

However, before you disable directory browsing, let’s first understand what it is and why it needs to be disabled temporarily.

What is Directory Browsing

Directory browsing is a feature provided by web servers that allows users to view all the contents of a directory or a folder when no default index file is found within the directory. Hence, directory browsing is also known as folder browsing or folder listing.

When directory browsing is enabled, the web server will generate a listing of files and subdirectories within the directory if a user accesses a directory that does not have a default index file. The index file may include files such as index.html or index.php.

This listing typically includes the names, sizes, and modification dates of the files and folders. But it may also include additional information, such as file permissions or file types. It can also be presented in a simple text format or rendered as an HTML page with clickable links to navigate the directory structure.

Why Disable Directory Browsing in WordPress

There are several reasons why you should disable directory browsing on WordPress:

• Privacy and security: Directory browsing can expose sensitive information about a website’s file structure, including file names, directories, and contents. Attackers can exploit this information to gain insights into the website’s architecture. As a result, they may be able to identify potential vulnerabilities or sensitive files that should not be accessible to the public.
• Unauthorized access: Directory browsing can unintentionally grant access to files that are not intended for direct user access. These files may include configuration files or backup files containing sensitive information. So they may be exposed if directory browsing is enabled.
• Search Engine Optimization (SEO): Enabling directory browsing can lead to duplicate content issues from the perspective of search engines. Search engines may index multiple URLs that point to the duplicate content, diluting the relevance of individual pages and impacting the website’s search engine rankings.
• Better user experience: Directory browsing can create a poor user experience by presenting users with a list of files instead of a meaningful webpage. It can be misleading and make it difficult for visitors to navigate the website effectively.

However, before we proceed to disabling directory browsing on your WordPress website, please verify if it’s enabled.

How to Check Whether the Directory Browsing is Enabled or Not

The easiest way to check whether directory browsing is enabled on your WordPress website is by adding the path “/wp-includes” at the end of your website domain. For example, enter the URL “https://yourdomainname.com/wp-includes” on your web browser.

Directory browsing is enabled on your website if you see a list of files and folders.

On the other hand, if you see a 403 error or something similar, the directory browsing is already disabled on your website.

How to Disable Directory Browsing in WordPress

You can easily disable directory browsing in WordPress. Here are the primary methods you can follow:

1. cPanel
2. FTP
3. Using a Plugin
4. Contact hosting support

We’ll go through each of these methods in detail, allowing you to select the approach that suits you best.

1) Disable Directory Browsing in WordPress from cPanel

If you have access to cPanel and are familiar with its interface, you can quickly disable directory browsing on WordPress. First, log in to your cPanel account by entering the credentials provided by your hosting service. Then, scroll down to the Files section and click on File Manager.

Here, you can see all the files and folders of your WordPress website. Open the “public_html” folder and find the .htaccess file in this directory.

Note: If you can’t see the .htaccess file, go to your settings and check the Show Hidden Files option. Make sure you save the changes.

After locating the .htaccess file, download it to your computer and edit it using a plain text editor, such as Notepad++.

However, before making any further changes to it, we recommend creating a copy of the .htaccess file and naming it something like .htaccessbackup.

After you make a copy of the .htaccess file, add the following line of code at the end of the file.

Options -Indexes

Your file may look something like this:

Finally, save the .htaccess file after adding the code and upload it to the file manager of the cPanel. Since the .htaccess file already exists in your WordPress file directory, you’ll have to replace it with the new file when you upload it.

Now, check if the directory browsing is disabled by adding the path “/wp-includes” at the end of your domain once again. You can see that it is now disabled.

2) Disable Directory Browsing in WordPress with FTP

Using FTP is a great alternative to edit the files of your WordPress website if you don’t have access to cPanel.

Disabling directory browsing using FTP is quite similar to disabling it in WordPress using the cPanel. You will have to manually edit the .htaccess file of your WordPress website and upload it using an FTP client. So let’s start with connecting your website with an FTP client

2.1) Connect your Website with an FTP Client

Several FTP clients like FileZilla and Cyberduck can connect to your website for file transfer. They’re all similar to use, but we will use FileZilla for this demonstration. You can download and install it from its official website.

After installing FileZilla on your computer, open the application and go to File > Site Manager. You can also use the keyboard shortcut Ctrl+S for it.

Now, click on New Site in the site manager and enter the name of your site on the left side of the dialogue box.

Then, enter the credentials provided by your hosting services on the right side of your screen under the General tab, and finally, click on Connect.

You should be able to access your website files now in the remote site section. If you encounter any issues, please refer to our detailed guide on accessing FTP for WordPress websites.

2.2) Edit and Replace .htaccess File

If you look at the remote site section, you can see all the file directories of your website. Here, you need to open the public_html folder, where the .htaccess file is located.

Just drag and drop it to the Local site section of the application. The local site represents the file directory of your personal computer.

Then, edit the .htaccess file using a plain text editor, such as Notepad++, and add the following line of code at the bottom.

Options -Indexes

Note: This step is identical to that of the previous approach. However, please ensure that you create a backup of the file by making a copy of it, as mentioned earlier.

Save the file after you’ve added the code and upload it to the Remote site using drag and drop again.

This should disable directory browsing on your WordPress website. So check it by adding the path “/wp-includes” at the end of your domain name.

3) Disable Directory Browsing in WordPress Using a Plugin

Suppose you don’t have the necessary credentials to access cPanel or the FTP client, but you only have access to the WordPress dashboard. In that case, you can still disable directory browsing using a plugin. Plugins help add functionalities to your website that are not included in WordPress or your default theme.

So it’s the same case with disabling directory browsing.

Many plugins allow you to disable directory browsing in WordPress by editing the .htaccess file. Even several security and SEO plugins will enable you to edit the file if you already use them on your website. Alternatively, you can use a dedicated plugin to automatically disable directory browsing.

We will use the plugin WP safely disable directory browsing for this tutorial. It is a straightforward plugin that allows you to disable directory browsing on your website with just a single click.

To start using the plugin, you must first install and activate it.

3.1) Install and Activate the Plugin

To install the plugin, go to Plugins > Add New from your WordPress dashboard and search for the keywords of the plugin. After you see the plugin in the search results, click Install Now.

The installation will take a few seconds to complete. Once it’s complete, click Activate to activate the plugin.

3.2) Disable Directory Browsing from Plugin Settings

You can start using the plugin settings by going to Settings > Safe Directory from your WordPress dashboard after the plugin is activated. You will see only one option here.

So, check the Disable Directory Browsing of the directory here and click on Save & Write to save your changes.

That’s it! The Directory browsing is disabled on your WordPress website. You can verify this by adding the “/wp-includes” path to the end of your domain.

4. Contact Hosting Support Team

If you still can’t resolve the situation, the next step is to contact the support team of your web hosting provider. You can raise a support ticket via the account dashboard, and the team will take care of it.

Most popular web hosting providers have a good response time, and this issue will be fixed as soon as possible.

Bonus: Disable Directory Browsing using Rank Math

The plugin WP safely disable directory browsing hasn’t been updated for quite a while, even though it works perfectly. We will also show you an example using an alternative plugin.

As mentioned earlier in this article, you can disable using an SEO or a security plugin to disable directory browsing by editing the .htaccess file. Plugins like Hide My WP Ghost and WP Encryption provide a reliable option to automatically disable directory browsing.

However, we will use the Rank Math SEO plugin in this section, as it is a popular SEO plugin that allows you to edit the .htaccess file in its free version. Let’s start by reinstalling and activating the plugin again.

Install and Activate Rank Math

Go to Plugins > Add New from your WordPress dashboard and enter the keywords of the plugin, just like the previously mentioned steps. Then, click “Install Now” to install the plugin.

After the installation is complete, activate the plugin. You can now start using the plugin.

If you wish to use any premium plugins, you must upload and manually install them. We have a detailed guide on installing a WordPress plugin manually if you need further assistance.

Edit .htaccess File Using Plugin Editor

To edit the .htaccess file, go to Rank Math > General Settings from your WordPress dashboard and open the Edit .htaccess tab. The plugin includes a dedicated text editor for editing the .htaccess file.

Enter the following code line at the end of the file.

Options -Indexes

Once you’ve added it, click Save Changes.

Lastly, check if directory browsing is disabled on your website by adding the path “/wp-includes” in your domain name.

Disable Directory Browsing on NGINX Servers

If your WordPress site is hosted on an NGINX server, you won’t be able to use the .htaccess method because NGINX doesn’t rely on it. Instead, you need to adjust the server configuration directly.

Locate your server block file (often found inside /etc/nginx/sites-available/) and add the following directive inside the block handling your domain:

location / {
    autoindex off;
}

The autoindex off; rule ensures that directory listings are disabled for your website. After saving the file, test the configuration with:

nginx -t

If no errors appear, reload NGINX using:

systemctl reload nginx

This method effectively prevents directory browsing on NGINX servers and adds an extra layer of security to your WordPress site, keeping sensitive files hidden from visitors and bots.

Best Practices After Disabling Directory Browsing

Disabling directory browsing is a crucial first step, but you should also follow other best practices to keep your WordPress website safe and optimized:

• Update WordPress Regularly – Always keep your WordPress core, themes, and plugins up to date to patch security vulnerabilities.
• Use Strong File Permissions – Restrict unnecessary write access and configure secure permissions (e.g., 644 for files, 755 for directories).
• Install SSL (HTTPS) – Encrypt data transmission with an SSL certificate for better security and SEO.
• Leverage Security Plugins – Tools like Wordfence or iThemes Security provide extra protection layers.
• Enable Regular Backups – Maintain backups of your website using plugins or server tools for quick recovery.
• Monitor Server Logs – Regularly check access logs to identify suspicious activity.
• Limit Access to Sensitive Files – Block access to files like wp-config.php via .htaccess or server rules.

Frequently Asked Questions

Now, let’s examine some frequently asked questions related to the topic.

Conclusion

These are the various ways you can disable directory browsing on your WordPress website. It is essential to disable it if you don’t want any security or privacy issues.

To summarize, there are four significant ways to disable directory browsing:

• cPanel
• FTP
• Using a plugin
• Contact hosting support

The most common way to disable directory browsing is by editing the .htaccess file using cPanel or an FTP client. But you can also edit the file using SEO, security, and text editor plugins. However, a dedicated plugin is also a good option.

We hope you can now disable directory browsing on your website without any issues. We’d love to know about your experience in the comments.

In the meantime, here are some more articles that might help optimize your WordPress website:

• How To Fix The htaccess File In WordPress?
• WordPress Security: 10 Tactics You Must Know
• How to Edit robots.txt in WordPress (with and without Plugins)