If not configured correctly, search engine might index your uploads folder. You might be searching how to disable Directory Browsing in WordPress? Let’s understand Folder Architecture in WordPress installation server.
WordPress is one of the most used CMS by Website creators. Being an Open Source Software and can be installed anywhere with PHP & MySQL installed. Started as Blogging Engine, now powers more than 30% of websites.
WordPress folder Architecture
Let’s understand the folder above. If you look at the disc where WordPress is installed, you will get folders like above. Three main folders
- wp-admin – Includes WordPress core files, not indexed by default.
- wp-content – Includes themes, plugins & uploads (Images). Indexed by default
- wp-includes – Other core parts of WordPress like API & Scripts.
Now, let’s shift our focus to
wp-content>uploads>2020>05 folder. Unless you change, WordPress by default archives your uploaded media by year & month. Now let’s have a look at problem.
Problem: Google Search indexed wp-upload Folders
What is Directory Browsing / Directory Listing?
As you know, Folder is called Directory since early days of computing, you have basic idea of creating Folder in MS-DOS. Also, how many of you have idea of FTP? In the days of FTP, all content inside the folder is listed as in similar manner of Windows Explorer or any other File Explorer application.
Now, coming back to Directory Listing or sometimes called Directory Browsing is term used in Web industry to list all the content inside that folder. Let’s have a look at below screenshot.
This is one of the folders of our WordPress hosting of this blog. Also, WordPress creates multiple cropped versions of image you upload based on theme’s requirement to display at different places. In above image, we are seeing the content of images/media we have uploaded in March 2017. All the media files are cropped with different dimensions and listed on web. Anyone can find them and download them, even all of them at once using some tool.
This listing of all content inside folder without any authentication is called Directory Browsing.
Why we want to disable directory browsing in WordPress?
There are multiple reasons why we want this to not happen. Some of the main reasons are pointed below.
- It impacts negatively in your SEO.
- Anyone can view your media files easily.
- Anyone can download your media content.
- Makes your website more vulnerable as Attacker can see which plugins are used and can target outdated or unoptimized plugins to inject code.
- Gives more ease to attacker if those folders contain any of script files.
How to disable Directory Browsing in WordPress?
Well, there are multiple ways to do. You can make use of any WordPress security plugins, Adding Index.html file or using
Using Security Plugins
Using Plugins to perform fixed task is the easiest job in WordPress ecosystem. This is the one of main reason behind the popularity of WordPress. Below are some plugins with link to their WordPress plugin page.
- Sucuri Security – Auditing, Malware Scanner and Security Hardening – Download
- Wordfence Security – Firewall & Malware Scan – Download
- Hide My WP Ghost – Security Plugin – Download
- Other plugins
Disadvantages of Using Plugins to disable Directory Browsing in WordPress.
- Plugins consume resources.
- Some plugins can make website slower.
- Some Plugins may ask you to pay or share your data.
Adding Index.html file in each Folder
You can design any fancy html page or just a blank HTML page and place it inside directory. Follow below steps to add index.html file to disable directory browsing in WordPress. This method has an advantage over plugin as it does not run any script or increase load in your server. Just consumes space but again as consider Plugins will also consume space.
- Create a new HTML Webpage, you may include the custom error message telling that you can’t download images, or you can’t view files of this folder.
- Save this HTML Page as
- Upload this file inside each of folder in your
- Repeat the process until you cover all folders.
Disadvantages of Using index.html to disable Directory Browsing in WordPress.
You have to repeat this step for every folder inside your WordPress installation. This can be time consuming if you have old blog with lots of content.
.htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis on Apache Web Server Software.
In most cases, WordPress is installed in Linux environment or Apache based servers. There is always .htaccess file present for configuration. Most of the hosts do not list dotfiles (files beginning with
. symbol). You have to turn the visibility of dotfiles from settings. In most cases, cPanel is used by hosts and below image displays how to enable visibility of dotfiles.
Now, once you have made above change, you can see
.htaccess file in list of files. Download
.htaccess file to your local system, add below link of code and upload it to server. Steps to disable Directory Browsing in WordPress using
.htaccessfile and download in local system
- Create a copy of
.htaccessfile before modifying.
- We have asked you for this method so in case something wrong happens, you always have backup of original
- Go to end of
.htaccessfile content & dd below line at the bottom.
- Save file and Upload to server.
You can directly edit the htaccess file and add above line of code at the bottom of file. Make sure you don’t tinker with anything to make your website down.
This method is most easy & trusted than above two methods to disable directory browsing in WordPress. You do not have to add any plugin to consume extra resource of your server or any untrusted scripts. Adding html files may be also difficult and repetitive task and also consumes lots of space. While this doesn’t consume your resource as compared to plugin or use your disc space. It will now throw 403 – Forbidden error to visitors who try to access directory content.
Hope this article is helpful to you. We will be waiting to hear from you whether it worked it or not?