If you have a self-hosted WordPress installation, you need to be aware of directory browsing and the implications of allowing it. WordPress tries to prevent directory browsing, even if you (knowingly or unknowingly) have it enabled. Unfortunately, it is up to you to make sure your site is completely secure.
What is directory browsing?
If you have your own website, chances are you have also used a file manager before. A file manager allows you to see the files and folders that exist on your computer and open them. Directory browsing is just like a file manager for your website, except open to the public. Anyone on the web could potentially visit a directory on your site, see what files exist there and open them at will.
Basically, if directory browsing is enabled and you don’t have an index.html or index.php file in a given directory, the web browser will display the contents of the directory along with a link back to the parent directory. You can check to see if directory browsing is enabled by creating a folder and adding a basic text file. If you visit the directory in your web browser and it displays a link to the text file, then directory browsing is enabled. If you get a ‘Page Not Found’ or ‘Forbidden’ message, then directory browsing is disabled.
Obviously, revealing the inner workings of your website to the public could entice hackers or at least make their job much easier. Many hackers perform Google searches to find sites with directory browsing enabled and then choose sites which have known vulnerabilities based on their findings.
Directory browsing and WordPress
By default, a self-hosted installation of WordPress has a built-in safeguard against directory browsing. A new WordPress installation will contain a blank index.php file in each folder so that a user visiting a folder, such as the plugins directory, will be presented with a blank screen. However, many WordPress plugins don’t do this. This means that hackers can see what plugins, and versions of those plugins, that you have installed on your site.
Securing access to your directories via .htaccess
The easiest way to disable directory browsing is to add a line to your site’s .htaccess file.
Keep in mind that you can have .htaccess files in multiple locations, but you want to make your change in the .htaccess found in the root directory for your domain. This will cause the change to take place across your entire site.
Here is what you will need to do:
- Download your .htaccess file and make a copy. You should always keep a copy of your .htaccess file when making changes, just in case things don’t work as planned.
- Add these lines to your .htaccess file:
# Disable Directory Browsing
Options All -Indexes
- Upload the new .htaccess file and overwrite the existing one.
- Verify that directory browsing is disabled. You can visit a folder that previously allowed you to view the directory and be sure you are getting a ‘Page Not Fount’ or ‘Forbidden’ error message.
Congratulations! Your site is now much more secure. There are plenty of other security issues that you should be aware of and I will be addressing plenty of them in the weeks to come.