WPBeginner - WordPress Tutorials for Beginners

Trusted WordPress tutorials, when you need them most.
Beginner’s Guide to WordPress
WPB Cup
25 Million+
Websites using our plugins
16+
Years of WordPress experience
3000+
WordPress tutorials
by experts

How to Disable Directory Browsing in WordPress

By Editorial Staff | | Reader Disclosure

Shares 309 ChatGPT Perplexity X LinkedIn WhatsApp

We often see websites that forget to disable directory browsing. At first glance, it might not seem like a big deal, but this small oversight can expose sensitive information and put your site at risk.

When directory browsing is enabled, anyone can view the files and folders on your server. Hackers can use this information to identify weaknesses in your plugins, themes, or even your hosting environment.

Luckily, fixing this issue is quick and easy. By turning off directory browsing, you add an extra layer of protection and make it much harder for attackers to target your site.

In this guide, I’ll walk you through the simple steps to disable directory browsing in WordPress so you can safeguard your website and keep your data secure.

How to disable directory browsing in WordPress

Here is a quick overview of topics I’ll cover in this guide:

What Does Disabling Directory Browsing in WordPress Do?

Disabling directory browsing stops visitors from seeing a list of files and folders on your site when an index file isn’t available. Instead of showing that raw directory, the server will display a blank page or an error message.

When someone visits your website, the server normally delivers an index file (like index.html or index.php) to their browser. If that file is missing, many servers will fall back to displaying all the files in that folder.

Directory browsing enabled

This behavior is called directory browsing, and it’s often enabled by default on hosting servers.

The problem is that this exposes sensitive details about your site’s structure. Hackers can use it to look for vulnerabilities in plugins, themes, or even your hosting environment.

In some cases, directory browsing can also reveal private or paid content, such as ebook downloads or online courses, which could then be copied without permission.

That’s why we always point out this risk when helping beginners. Turning off directory browsing is a quick change that can protect your site and prevent unnecessary revenue loss.

How to Check if Directory Browsing Is Enabled in WordPress

An easy way to check if directory browsing is enabled on your WordPress website is by visiting the /wp-includes/ folder directly.

For example, just enter a URL like this: https://example.com/wp-includes/ in your browser.

Make sure to replace example.com with your actual website’s domain name. This simple test works across most WordPress installations.

If you see a 403 Forbidden message or a similar error, then directory browsing is already disabled. This is a good sign as it means your website is more secure.

403 forbidden page is displayed when directory browsing is disabled

If a list of files and folders appears instead, then directory browsing is enabled.

Leaving directory browsing enabled makes your website vulnerable to malicious attacks.

In our experience, enabling directory browsing exposes sensitive information and increases security risks. For this reason, it’s best to disable directory browsing in WordPress to keep your site safe.

How to Disable Directory Browsing in WordPress

You can disable directory browsing by adding a single line of code to your WordPress .htaccess file.

This is a powerful server configuration file, so it is very important to make a backup of your .htaccess file before making any changes. An incorrect edit could make your site inaccessible.

Tip: We use Duplicator to automatically back up all our WordPress websites. It allows you to create scheduled as well as on-demand backups. More importantly, you can easily restore your website with 1-click. See our full Duplicator review for more details.

You can access this file using two main methods:

Method 1: Edit the .htaccess File Using the File Manager in cPanel

The easiest method for most users is to use the File Manager app provided in your WordPress hosting account’s control panel (cPanel).

First, log in to your hosting account and open the File Manager.

cPanel file manager app

Navigate to your website’s root folder, which is often named public_html.

Now, locate the .htaccess file.

If you cannot see it, make sure to enable “Show Hidden Files” in your File Manager’s settings.

Editing .htaccess file in File manager via cPanel

Right-click on the file and select ‘Edit’ or ‘Code Editor’.

Method 2: Editing the .htaccess File Using an FTP Client

Alternatively, you can use an FTP client to connect to your website’s files.

If this is your first time, you can follow our complete guide on how to connect to your site using FTP.

  1. Once connected via FTP, navigate to your site’s root directory (e.g., public_html).
  2. Find the .htaccess file.
  3. Download the file to your computer, then open it in a plain text editor like Notepad or TextEdit.
Adding the Code to .htaccess

Once you have opened the .htaccess file for editing using either method, simply add the following line of code at the very bottom of the file:

Options -Indexes

It will look something like this:

Added border to an image

Now, save your changes. If you used an FTP client, you must re-upload the edited .htaccess file to your server, overwriting the original.

Note for Nginx Users 📝: This .htaccess method applies to websites running on an Apache web server. If your website is on an Nginx server, this setting is usually handled at the server level by your hosting provider, and directory browsing is typically disabled by default. To learn more, see our comparison of Apache vs Nginx vs LiteSpeed web servers.

Now, if you visit the same http://example.com/wp-includes/ URL, you’ll get a 403 Forbidden or similar message.

403 forbidden page is displayed when directory browsing is disabled
Bonus Tip: Prefer a Plugin Instead?

If you are not comfortable editing code, a good WordPress security plugin can handle this for you.

Most WordPress security plugins include a one-click option to disable directory browsing as part of their website hardening features, so you never have to touch a single file.

Frequently Asked Questions About Disabling Directory Browsing

What is directory browsing, and why is it a security risk?

Directory browsing is a server feature that lists all the files and folders within a directory if an index file (like index.php) is missing. It’s a security risk because it exposes your site’s structure, including which themes and plugins you use, to potential attackers.

Does disabling directory browsing affect my website’s SEO?

No, disabling directory browsing does not negatively affect your SEO. Search engines are interested in your content, not your file structure. In fact, improving your website’s security is a positive signal to search engines.

Is it better to use a plugin or edit the .htaccess file?

Both methods achieve the same result. Editing the .htaccess file is a quick, one-time fix. Using a security plugin like Sucuri is great for beginners as it handles this and many other security settings with a single click, without needing to edit code.

What if my WordPress site uses an Nginx server?

The .htaccess file is specific to Apache web servers. On Nginx servers, directory listing is typically disabled by default in the main server configuration. If you suspect it’s enabled, you should contact your hosting provider to have them disable it for you.

Additional Reading for WordPress Security

Want to keep your WordPress website secure and error-free? You may find the following articles useful:

We hope this article helped you learn how to disable directory browsing in WordPress. You may also want to see our ultimate WordPress security guide or our expert pick of the best WordPress security plugins.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

Popular on WPBeginner Right Now!

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. See how WPBeginner is funded, why it matters, and how you can support us. Here's our editorial process.

The Ultimate WordPress Toolkit

Get FREE access to our toolkit - a collection of WordPress related products and resources that every professional should have!

Download Now

Reader Interactions

98 CommentsLeave a Reply

  1. I noticed that I have directory browsing disabled on my WordPress site, because I got a 403 error when trying to access wp-includes, yet I don’t remember ever having edited my .htaccess file to do so.
    Does WordPress automatically disable directory browsing during initial installation?

    Reply

    • Unless there was a recent change it does not by default, it may be your hosting provider’s default settings for htaccess.

      Reply

      Admin

      • That’s what I was suspecting also, thanks for clarifying that WordPress doesn’t disable directory browsing by default.
        And the respond too :)

        Reply

  2. I didn’t even know that this vulnerability existed. Just checked mine and got the 403 error. which means directory browsing is disabled. Thank you.

    Reply

  3. Thanks for the advice. On directory browsing, or that I have it enabled, the AIO SEO plugin keeps warning me. I have currently solved the problem by making the folders have an index file that is empty. Is it possible to take this as one of the possible solutions?

    Reply

    • You can try that method but we would still recommend the htaccess method from our guide.

      Reply

      Admin

      • Thanks for the advice, I finally used the Options -Indexes method now and AIO SEO already reports the problem as solved. Thanks again.

        Reply

  4. After editing the htaccess file as per the provided guidelines, I do see 403 Forbidden message for /wp-includes/. But I’m unable to see edit any post. Upon editing a post, I see the same 403 Forbidden message. How to solve this?

    Reply

  11. I am in love with this website. Every day I am surprised when I read a new article from this website. Thankfully I read this article today and immediately I implemented the advice.

    Reply

  19. So is it ok to have this code on .htaccess file even when an index.php file is present in the root folder.

    Kindly respond.

    Reply

  21. Hello
    does this action affect pages indexing on search engines?
    and does it make some problems for indexed pages of my WordPress website?
    Thanks

    Reply

  24. Amazing post,

    Just have simple question, I added this code and it’s working, the question is Google indexes those page e.g sitecom/wp-contents/2019/2, will Google remove those pages automatically now as these are 404. Or I should remove it in Search Console?

    Thanks

    Reply

  25. Hello!

    I recently applied this rule
    and at the same day the front page of my blog
    got vanished from google index.

    Do you see any connection?

    Reply

    • Adding this to your htaccess should not affect your indexing, there are multiple reasons and you would want to check your Google Search Console for what it says about your home page.

      Reply

      Admin

  26. Thanks for all the tips that you provide!
    I am still wondering how can you hide the wp-content & wp-include folder from sources? I hate it when someone goes right click and source it can see all of my plugins :). Do you have any script for this?
    Thank you in advance!

    Reply

    • We do not have a recommended method for that at the moment, the most common reason you can’t see those folders in dev tools is a site’s cache.

      Reply

      Admin

  27. Could you please tell me How can i disable WordPress in sub folder like my WordPress install on [www.mydomain.com] and i want to disable wordpress in [www.mydomain.com/customscript]

    Reply

  30. I disabled directory browsing, but still someone can see my directory when they use developer tools in chrome browser. How do I disable in that as well?

    Reply

  32. When I click “Save Changes” on the Permalink Settings page the .htaccess file is updated, erasing the “Options -Indexes” code that I inputted. The code works fine, but I am concerned I will unknowingly delete it while performing some other task. Are there any other dashboard settings changes that I should know about that may affect the .htaccess file and erase the code? Thanks

    Reply

  34. Huge fan of wpbeginner, Optin Monster – I got so many useful tips and tricks on WP – and I have to say, the site design is just brilliant. And of course, the content here is epicly useful.

    Thanks guys!

    Reply

  35. Hey! It doesnt seem to work. if i pull an image to another page its opened with a link of: example.com/wp-content/uploads/…
    Any idea? thanks!

    Reply

      • I would appreciate if you could iterate on this. I had a hard time when trying to get a solution for this issue. There are some ideas based on a htaccess redirecting to a php file that first checks if the user is logged on. Is there any plugin which provides such a function?

        Reply

  38. Sorry to late ask. I want to know, are these techniques safe to use regarding SEO score ? Hope you answer !

    Reply

  40. I have been writing this same code for weeks now but my directory remains visible to users. Pls what am doing wrong? Or could it be that my site is still loading from cached contents? Everybody says it is working but my own experience is different. Any help will be appreciated! Thanks in anticipation of your reply.

    Reply

  43. Is there a way to allow viewing a directory but just hide the Parent Directory link for a specific page? This would be a network share folder that multiple people would access, and have sub folders which would still require a parent directory listing. I just don’t want anyone going above the shared folder.

    Reply

  44. This didn’t work for me. I tried before and after #END WordPress and didn’t work. I also tried “Options All -Indexes”, but didn’t work either

    Reply

  46. Really great. today I just faced and thinking how can I disallow like joomla and I found the exact solution.

    Reply

  48. Thanks so much, was dismayed to see images from my site going to a parent directory :0. This was very helpful and worked well.
    Blessings – A

    Reply

  49. Thanks for this tutorial. It worked great for hiding my uploads from anyone just wanting to browse that directory. One question, though. Does this by chance turn off the ability of search engines to browse my website. Sorry if it seems like a dumb question. I am a newbie, after all. :)

    Reply

  50. I added the Options -Indexes code to the htaccess file, however now I am not able to access the site I get a 503 error. Am I doing something wrong? Need help bad!! Thanks

    Reply

Leave A Reply

Thanks for choosing to leave a comment. Please keep in mind that all comments are moderated according to our comment policy, and your email address will NOT be published. Please Do NOT use keywords in the name field. Let's have a personal and meaningful conversation.

Copyright © 2009 - 2025 WPBeginner LLC. All Rights Reserved. WPBeginner® is a registered trademark.

Managed by Awesome Motive | WordPress hosting by SiteGround

The WordPress® trademark is the intellectual property of the WordPress Foundation. Uses of the WordPress®, names in this website are for identification purposes only and do not imply an endorsement by WordPress Foundation. WPBeginner is not endorsed or owned by, or affiliated with, the WordPress Foundation.

I need help with…

Popular searches:

Starting a Blog WordPress SEO WordPress Performance WordPress Errors WordPress Security Building an Online Store