2 Easy Ways to Disable Directory Listing in WordPress

It’s reported that 30,000 new websites get hacked every day, and your WordPress site is not exceptional. It might become the next target of hackers without your notice. Hackers use multiple methods in an attempt to control your site, from guessing your passwords to injecting your database or even exploiting your uploads.

Another common and easy way for ill-intentioned users to break your WordPress site comes to the directory listing/browsing. But what is this issue? Why do site owners try to avoid it? And how to disable it?

Simply sit back, relax, and let’s dig into the answers to all these questions via our big picture of WordPress directory browsing.

What Is Directory Browsing in WordPress

Normally, your WordPress folder in the root directory contains an index.php, index.htm, or index.html file. These files will record what the webserver runs and loads on your site when entering that folder.

If your webserver can’t find an index file, it’ll automatically create a new index page and display the content of the directory.

To check if your directory is available to the public, you should enter http://example.com/wp-includes/ while example.com is your domain. In case it shows you a forbidden message of “You don’t have permission to access /wp-includes/ on this server.”, it’s a good sign. Your site is already secure and you don’t need to take any further action.


When you see a list of files in the search results, this means that your directory browsing is enabled on your site and you need to clear it immediately.

But how this directory browsing problem affects your site that forces you to disable it? These 2 main reasons will give you the answer.

Why Disabling Directory Listing in WordPress

  • Create vulnerability holes

As mentioned, if your directory listing is available to the public, hackers will have a good chance to look around your site structure, know everything in the /wp-content file, including the versions of plugins, themes, and core platform.

Outdated plugins with vulnerability holes seem like open gates for attackers to inject malware to your site. Consequently, they may rape your admin area, delete pages, or even worse, shut the entire site down.

  • Lose important information

Content theft is another reason requiring you to hide your directory browsing. Showing your files and images on the /wp-includes page can pave the way for shady users to steal your commercial or personal private files.

You have 2 solutions to deny direct access to WordPress site folders and protect your private data, either manually using cPanel or installing the PDA Gold plugin. We’ll walk you through each method with a detailed guide.

How to Disable Directory Listing in WordPress via cPanel

To apply this way, you have to log into your web hosting account and go to cPanel. After that,

  1. Head to the Files section and open the File Manager folder
  2. Pick the Web Root directory option from the popup box then select your domain
  3. Check the box saying “Show Hidden Files”
  4. Look for the .htaccess file. Then download it to your desktop to edit
  5. Add this code to the bottom of the file in your local device
    Options -Indexes

    This is how the new code in the file looks like:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    # END WordPress
    Options All -Indexes
  6. Upload this file with the new code  and back to your server

That’s it! You’ve successfully disabled the directory browsing on your WordPress site. Those who are trying to locate a directory index on your website will be redirected to a forbidden page.

Disable Directory Indexing Using The PDA Gold Plugin

Primarily coming as a media file protection plugin, Prevent Direct Access (PDA) Gold also proves an effective solution to stop users from viewing your folder structures. You can block directory browsing in different web servers such as Apache, NGINX, and Microsoft Internet Information Services (IIS).

The following instruction will show you how to get started with the plugin:

  1. Download the PDA Gold plugin via a zip file format
  2. Go to PluginsAdd NewUpload plugin in your admin dashboard and choose the zip file you’ve just downloaded
  3. Enter the license key and activate the plugin
  4. Open the plugin Settings page right in your navigation menu
  5. Scroll down to the OTHER SECURITY OPTIONS section and enable the “Disable Directory Listing” feature
  6. Save your changes

As soon as you turn on the feature, the plugin automatically adds the code Options All -Indexes to the bottom of your .htaccess file. You don’t have to touch your web servers which might accidentally affect your site performance.

Discover Other Powerful Functionalities of PDA Gold

Besides denying directory listing, there are a lot of things you can play with this plugin. It allows you to protect your WordPress media files from unauthorized users.

Do you own an online course website? Or are you a photographer selling artworks and event photos to customers? Whoever you are, this plugin is just your way to go.

Once protected, your files become invisible to the public, including search engines. Readers searching for your files will be redirected to a 404-page in spite of having the original URLs. Only specific users, such as admins, members of your site, or your selective customers have the right to access your files.

Besides, you can create special private links to the protected files and send them to users. However, users have permission to view them in only a given period of time or after a number of clicks. Sounds interesting, right?

Release Worry about WordPress Directory Browsing

Directory listing can create an open gate for hackers to attack your site since they can see the full folder structure. They’ll find out which plugins or themes are outdated and take advantage of their vulnerability holes.

You have 2 choices when looking for a solution to disable directory listing on your WordPress site: using cPanel or the PDA Gold plugin. While the former forces you to add code to the .htaccess file, the latter handles/takes all the job by automatically doing this for you. All you need to do is installing the plugin and enable the feature.

PDA Gold also gives you more capabilities than just denying directory listing access. Give it a try to discover more!