Directory browsing in WordPress allows anyone to view and access the contents of your site’s folders (e.g., /wp-content/uploads/) by simply entering the URL in a browser. While convenient for developers, it’s a major security risk — hackers can discover sensitive files, themes, plugins, or images and exploit them. With automated scanning tools more sophisticated than ever, disabling directory browsing is a fundamental security step to prevent unauthorized access, data leaks, and potential attacks.
At Cope Business, we always disable directory browsing during our technical SEO audit services and site hardening processes — it’s quick, effective, and helps maintain a secure, performant site.
This easy guide explains why you should disable it, and three simple methods to do so in WordPress — using .htaccess (most common), plugins (visual), and hosting settings.
Why Disable Directory Browsing in WordPress?
- Prevent Security Risks — Exposes file names, plugins/themes versions, which hackers can use for targeted attacks
- Protect Sensitive Data — Hides backups, config files, images, or uploads from public view
- Improve Privacy — Stops competitors or bots from scraping your directory structure
- SEO & Performance — No direct impact, but secure sites rank better long-term
- Compliance — Helps with GDPR/CCPA by reducing accidental data exposure
If browsing is enabled, anyone can type yoursite.com/wp-content/ and see a list of files — disable it to show a 403 Forbidden error instead.
Check If Directory Browsing Is Enabled
- In your browser, go to yoursite.com/wp-content/ or /wp-content/uploads/
- If you see a file list (Index of /) instead of 403/404 error, it’s enabled — time to disable!
Method 1: Disable Using .htaccess (Easiest & Most Reliable)
This works on Apache servers (most shared hosting like SiteGround, Bluehost, Hostinger).
Steps
- Access your site via FTP (FileZilla) or hosting file manager (cPanel > File Manager).
- Locate .htaccess in the root folder (where wp-config.php is) — backup first!
- Open and add this line at the top or bottom:text
Options -Indexes - Save and upload.
- Test: Go to yoursite.com/wp-content/ — should show 403 Forbidden or blank page.
For NGINX Servers (VPS like DigitalOcean, Cloudways):
- Contact your host or add to server config:text
autoindex off;
Pros: No plugins, server-level protection, very lightweight.
Cons: Requires FTP access; not all hosts allow .htaccess edits.
Method 2: Disable Using a Plugin (Visual & Beginner-Friendly)
Plugins automate the process with one-click toggles.
Recommended Plugin: All in One WP Security & Firewall (Free)
- Install All in One WP Security & Firewall from Plugins > Add New.
- Activate → Go to WP Security > Firewall > Basic Firewall Rules.
- Enable Disable Directory Listing (or “Prevent Directory Browsing”).
- Save Changes — plugin adds the necessary .htaccess rules automatically.
Alternative Plugin: Prevent Direct Access (free/pro) — Also protects specific files/folders.
Pros: Instant, reversible, includes other security features.
Cons: Adds one plugin (but it’s a great all-in-one security tool anyway).
Method 3: Disable via Hosting Control Panel (If Supported)
Many hosts have built-in options.
- SiteGround: Site Tools > Site > Security > Directory Indexing → Disable.
- Bluehost: cPanel > Security > ModSecurity → Enable (often blocks browsing).
- Hostinger: hPanel > Advanced > PHP Configuration → Add Options -Indexes to .htaccess.
- Cloudflare: Rules > Firewall Rules → Block directory listings.
Contact your host if unsure — they often do it for you.
Pros: No WordPress changes, server-level.
Cons: Not all hosts offer it.
Best Practices After Disabling Directory Browsing
- Test Thoroughly — Check key folders like /wp-content/uploads/ show errors
- Monitor Logs — Use security plugins to alert on 403 access attempts
- Additional Security — Change database prefix (see our guide), limit logins, enable 2FA
- Performance — No impact — pair with caching for faster site
- SEO — No direct effect, but secure sites rank better long-term
Disabling browsing cuts a common attack vector — do it on every site.
Final Thoughts
Disabling directory browsing in WordPress is a quick, essential security upgrade that protects your files from prying eyes. Use the .htaccess method for most sites — it’s simple and effective.
Security is layered — this is one easy layer.
Experiencing security issues or need a full site hardening audit? Contact Cope Business for a free technical SEO consultation — we’ll disable browsing, secure your site, and optimize it for performance and peace of mind.
