How to Safely Disable Directory Browsing on Your WordPress Site

Learn why directory browsing is a security risk in WordPress and how to safely disable it using .htaccess, Nginx rules, or security plugins without breaking your site.

Why Directory Browsing Matters for WordPress Security

Directory browsing (or directory listing) lets visitors see a raw list of files in a folder when there’s no index file. On a WordPress site, that can expose plugin names, backup files, or configuration fragments that help attackers map your setup.

Hardening guides for WordPress specifically recommend locking down file access and server configuration as part of a defense-in-depth strategy.Source

This article shows you how to safely disable directory browsing on typical WordPress hosting, what to test afterward, and how to avoid breaking media or theme assets.

How to Check If Directory Browsing Is Enabled

Step 1: Test a Known Folder

In your browser, try visiting a folder URL on your site, for example:

• https://yourdomain.com/wp-content/
• https://yourdomain.com/wp-content/uploads/

What you might see:

• Directory listing page (file list with names, sizes, dates) – directory browsing is enabled.
• 403 Forbidden or a custom error page – directory browsing is disabled for that folder.
• Blank page or redirect – your host or a plugin may already be blocking listings.

Step 2: Confirm With Your Host or Control Panel

Some hosts expose a “Directory Indexing” or “Indexes” toggle in cPanel or their custom dashboard. If you see that option, note whether it’s already off before you change anything.

Method 1: Disable Directory Browsing via .htaccess (Apache)

If your site runs on Apache (very common for shared hosting), you can disable directory browsing using the Options -Indexes directive in your site’s .htaccess file. Apache’s autoindex module only generates listings when this option is allowed; turning it off prevents those listings from being served.Source

Step 1: Back Up .htaccess

• Connect via FTP/SFTP or your hosting file manager.
• Locate your WordPress root folder (usually public_html or the folder containing wp-config.php).
• Download a copy of .htaccess to your computer and rename it to something like .htaccess-backup-before-no-index.txt.

Step 2: Add the Options -Indexes Rule

Open the live .htaccess file in your host’s editor or a code editor. Look for the existing WordPress block that starts with # BEGIN WordPress. Above or below that block, add:

# Disable directory browsing
Options -Indexes

Save the file.

Many security plugins add the same rule automatically under labels like “Disable Directory Browsing” by inserting Options -Indexes into .htaccess.Source

Step 3: What You Should See

After saving:

• Reload https://yourdomain.com/wp-content/ in your browser.
• You should now see a 403 Forbidden or a generic error page instead of a file list.
• Your normal pages, posts, and media (images, CSS, JS) should still load correctly.

If you see a server error (500) on all pages, immediately restore your backup .htaccess file and contact your host. Some Apache configurations restrict which Options can be used in .htaccess.Source

Method 2: Disable Directory Browsing on Nginx

If your host uses Nginx (common on managed WordPress hosting), directory listings are controlled by the autoindex directive. By default, it’s usually off, but some custom setups enable it in specific locations.Source

Step 1: Confirm You’re on Nginx

• Check your hosting documentation or dashboard for “Nginx” references.
• Or ask support: “Is my WordPress site served by Nginx, Apache, or both?”

Step 2: Ask Host to Disable autoindex

On most managed platforms you cannot edit Nginx config directly. Instead, open a support ticket and request:

Please ensure autoindex off; is set for all public web locations on my site so directory listings are disabled.

Your host can confirm and apply this at the server level.

Step 3: What You Should See

After your host updates the configuration:

• Visiting a folder URL like /wp-content/ should return 403 or a custom error page.
• All regular site pages and media should continue to load normally.

Method 3: Use a Security Plugin to Manage Directory Browsing

If you prefer not to edit server files, many WordPress security plugins include a “Disable Directory Browsing” or “No Index Views” toggle. These tools typically inject the same Options -Indexes rule into .htaccess for you, along with other hardening options recommended in WordPress security lessons.Source

General Steps (Plugin-Agnostic)

1. In WordPress, go to Dashboard ? Plugins ? Add New.
2. Search for a reputable security plugin that mentions directory browsing or hardening.
3. Install and activate the plugin.
4. Look for a settings area like Firewall, Hardening, or File System.
5. Enable the option labeled “Disable Directory Browsing” or similar.

What You Should See

Once enabled:

• Folder URLs should no longer show file lists.
• The plugin may show a status indicator like “Directory browsing: Disabled.”
• Your site should behave the same for normal visitors; only raw folder views change.

Verifying That Your Site Still Works

Step 1: Test Key Pages

• Homepage
• Several inner pages and blog posts
• Any landing pages built with Elementor: Dashboard ? Pages, open a page, click Edit with Elementor, and confirm the editor loads normally.

Step 2: Test Media and Assets

• Open a page with images and confirm they display.
• Check that your theme’s CSS and JavaScript are loading (no broken layouts or missing icons).
• In a browser’s developer tools (Network tab), look for any 403 errors on CSS/JS/image files.

Step 3: What You Should See

With directory browsing disabled correctly:

• Normal visitors and editors see no change in how the site works.
• Only direct folder URLs (like /wp-content/) are blocked from listing contents.
• Individual files (like images or PDFs) still load when linked from pages, unless you use an additional plugin to restrict file access.Source

Rollback Plan if Something Breaks

If You Edited .htaccess

1. Use FTP or your file manager to rename the current .htaccess to .htaccess-broken.
2. Upload your backup copy and rename it to .htaccess.
3. Reload your site; it should return to the previous state.

If You Used a Plugin

1. Log in to Dashboard ? Plugins.
2. Temporarily deactivate the security plugin that changed directory browsing.
3. Clear any caching (plugin cache, host cache, CDN) and test the site again.

Ongoing Maintenance Tips

• Include “Check directory browsing is disabled” in your quarterly security review.
• After major hosting changes or migrations, re-test a folder URL to ensure listings are still blocked.
• Keep a clean, commented .htaccess so you can quickly see which rules control directory browsing.

Once configured, disabling directory browsing is a low-maintenance, high-value hardening step that quietly reduces the amount of information your WordPress site exposes to the public web.