Join Jeff Starr for an in-depth discussion in this video Prevent directory listings, part of WordPress: Developing Secure Sites .
- [Narrator] In this video, we increase the security of WordPress by disabling directory views which also are known as directory indexes or directory listings. Many web-hosts disable directory views by default but it's important to know for sure. If your files are visible, there are a couple of easy, effective ways to lock things down. An open directory listing of your files, such as this one, may be the first thing an attacker sees before destroying your website. When directory views are enabled, any directory that does not include some sort of an index file, such as "index.html" or "Index.php", will openly display a list of all files in the directory as seen here.
As you can see, there is no index file included in this directory so it's contents are displayed for the world to see. Open directory listings are a security risk because they reveal the contents of your server to an attacker. It's much better if sensitive files are not publicly accessible. Fortunately, disabling directory views is drop-dead easy. Open the Exercise Files for this course and copy the .htaccess code. Then open your site's route .htaccess file and paste the code anywhere near the top of the file before any WordPress specific rules.
After adding the snippet, save and upload the file to the server. With that code in place, let's return to the previous directory view. And refresh the page, we see the files are no longer listed which greatly improves the security of our site. Even better, when the options indexes line is included in your sites route .htaccess file, it will apply to all directories. So one line covers your entire site. For more information on this .htaccess technique check out my post at ".htaccess made easy".
If .htaccess is not an option, you can disable directory listings by simply adding a blank index.html or index.php file to any directory that doesn't already include one. Before doing so, let's re-enable directory views by removing the Options -Indexes line from .htaccess. Then save, upload and return to the browser to verify that directory views are re-enabled. We refresh the page, and yes, we see that directory views, once again, are enabled on the site.
So now let's return to our ftp client and add an index.html file to this directory. The index file may contain any code that's desired. It can even be blank. The point is, to have an index file in place for the directory. This particular index file displays a basic message and is available in the exercise files for this course. There's also and index.php file that may be used instead. So after adding an index file to our example directory, we can upload the file and return to the browser to verify that it's working.
Returning to the browser, we reload the page and see the results. Directory views have been disabled. Thanks to the new index file, the directory contents are no longer accessible to the public. As mentioned, the index file can contain anything you want so feel free to customize a little bit and have fun. If in doubt, just leave the index file blank. It's totally fine. While WordPress includes blank index files by default for some directories, there are a lot of other directories that require protection.
This is where the .htaccess method is going to save you a lot of time. But in the event that .htaccess is not available to you, adding an index file to any open directory works just as well. In this video, we've improved security by disabling directory views. Without this protection, you're taking an unnecessary risk. Using either .htaccess or the index file method, it's best to play it safe and lock things down.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security