Disabling the directory listing in WordPress is a good practice to avoid exposing sensitive information to users and search engines, the server features in use and potential vulnerabilities in plugins, themes or a general file. This practice contributes to greater security for WordPress.
The Apache server by default displays an index page content, files and subdirectories when it does not find an index.html or index.php file, for example. You should avoid this default behavior of directory listing to prevent navigation for your media files, plugins and themes files.
Example of directory listings of WordPress plugin
The security issue with the directory listing
Note the image above and the information displayed with the directory listing. There is a lot of information that can guide an attacker: The path of your files revealing the server folder structure. You can browse and view files and folders, so it is always suggested to avoid using file names such as archive.php.bkp, for example, that content can be read with the version of the web server, Apache / 2.2.22, language, PHP 5.4.4 and some modules in use.
This server information is exposed if the ServerSignature policy is enabled.
How to disable directory listing?
The directory listing can be disabled through the Apache configuration file, the .htaccess file or simply the existence of an index.html or index.php file, for example, in the directory and subdirectories.
It is important to understand this cascade configuration and thus opt for the safest way to disable the directory listing on WordPress. Simply put, we have the following scenario:
- configuration file, httpd.conf / apache2.conf, Apache;
- .htaccess file;
- html / index.php.
Disabling directory listing through the Apache configuration file
The file is usually named httpd.conf or apache2.conf and for this you can consider the following policy to prevent the listing of directories:
<Directory / var / www / html>
Options -DirectoryIndex
</ Directory>
Disabling the directory listing using the .htaccess file
Consider using the policy below in the .htaccess file of your WordPress installation. This file is located in the root folder, and if you use FTP / SFTP you need to consider the display of hidden files.
# Disable directory listing
Options -DirectoryIndex
Disabling directory listing through index files
These files are as famous as the quote “Time is Money”. In the absence of an index file in your directory themes and plugins, consider adding an index.php file, for example, to prevent directory listing.
The file does not need to have any content. It only requires its existence. But too often it includes only a comment getting something like this:
<? Php
// Time is Money
What is the best strategy to disable directory listing?
Our suggestion is to make use of the three alternatives and have the concept of cascade in mind, but in this context, think in reverse because some contexts are explained in detail.
If you are developing a plugin or theme, always consider to include index.php file in all directories. You probably will not be responsible for the setup and maintenance of WordPress, so you cannot guarantee the use of the .htaccess file to prevent directory listing, which will tell the server to change the web server configuration file.
If you are managing a website using WordPress CMS, ensure that you have made use of the index file in the directories, consider using .htaccess file and if possible make proper changes on a server so that it prevent directory listing.
If you are a SysAdmin, consider configuring Apache to prevent directory listing, so you ensure that in the absence of the directive in the .htaccess file or the lack of index files, directory listing does not happen.
Note: If you are a MilesWeb Hosting service user, you don’t need to take care of this hectic and confusing task. Our technical experts disable Directory Browsing across servers. It is one of the steps that are taken for the security of our customers accounts.
Looking for WordPress Hosting? Look no further than MilesWeb!!