We use various tricks and hacks to secure WordPress installation. If directories are not secured, anyone can access installation folders and directories. Your blog have major security loophole which needs immediate attention and remedy. Someone can easily browse plugins and other folder. People browse your themes folder and get very important information.
Apache webserver allows directory browsing by default. This issue can easily be addressed by various methods.
Disable directory browsing by placing index.html file:-
- Simply create a blank index.html file.
- Upload to directories for which you want to disable the browsing.
- Browsing for all those directories has been disabled. Visitors will be shown a blank index.html file.
Disable directory browsing using .htaccess:-
- Find your .htaccess file which should be on main directory.
- Download it for editing purpose.
- We need to add Options All –Indexes to the file to disable the directory browsing. Add this magical phrase exactly in the beginning of file and save it.
- Upload the file to your main directory and you are done
Another method to secure WordPress installation is to disable directory browsing through CPanel.
Disable directory browsing in CPanel:-
- Login to your CPanel and open index manager.
- You will see listing of all directories available at your site.
- Select the directory for which you want to disable the browsing.
- Select no index and save it by clicking Save.
By doing so you have disabled directory browsing via CPanel. Once you followed any one method, directories will not be accessible by accessing the directory directly.
Loading ...
{ 9 comments… read them below or add one }
This is good information, Imran. I must admit, I have never given much thought to this.
Thanks for this post. I wonder how many others are unaware of this.
.-= Jimi Jones´s last blog ..What Bloggers Can Learn From Artists =-.
Hey Thanks Jimi for your comment. By following my post on 9 Vital Tips to Secure Wordpress and this post, we can easily reduce success of hacking attempt by 90%. I have observed almost 100% reduction in various hacking attempts.
Those are pretty impressive numbers. More WP users need to takes these security steps. Nothing like keeping the bums out.
.-= Jimi Jones´s last blog ..What Bloggers Can Learn From Artists =-.
Just uploading a blank html files can be used to disable directory browsing? Its good tips. I’d like to ask
How can I veryfiy which of my directories are enalbed and disabled directory browsing?
Just type the exact URL of your plugins, theme, wordpress installation folder in your fav internet browser and see any listing, if occurs.
awesome info dude
Thanks 
Hi Imran,
One point for the Newbies. The “.htacess” file is a hidden file and yes, is hidden from you when you view your home directory file system. Simply click on “Show Hidden Files (dotfiles).” in the “File Manager Directory Selection” dialogue blox of your C-Panel. Your .htacess file will now be visible to you.
Imran, one question for you sir! How do your recommendations above affect the spiders crawl? After the above changes you recommend are there any changes that need to be made to the “robots.txt” file.
.-= Jeffrey Morgan´s last blog ..WordPress 3.0 Release Candidate =-.
Thanks Morgan for your clue for Newbies. If they are accessing the files/folders from CPanel, they are supposed to unhide the dot files but if the are accessing through FTP (like FileZilla) every thing is visible.
Now come to your question regarding bots visit. We need to understand their function. Bot catches main page (index.php) and follow all links given in it excluding the nofollow tagged links. So there is no effect on bot performance. We are not supposed to edit robots file as we have not restricted bot from accessing these folders.
As far as our articles are concerned, you know, if you have included some directory structure in your permalinks, all these directories are virtual and all articles are linked with one another. Rest assure that there will be no effect on your search engine indexing performance.
Thanks for article.. i have choosen Cpanel/no-indexing method!
Cheers
{ 1 trackback }