What Is Directory Browsing?
Directory Browsing allows visitors to see the file structure of your WordPress website if there’s no index file present in a folder. For example, if someone types “https://yourdomain.com/wp-content/uploads/”, and directory browsing is enabled, they’ll see a full list of every image, media file, and sometimes even plugin files in that folder, just like opening a folder on a desktop.
This might seem harmless at first, but for hackers, it’s a goldmine of information.
How Directory Browsing Exposes Your Website
|
Risk |
Potential Impact |
|
Visible file paths |
Reveals your theme, plugin, and upload structure |
|
Easier targeting |
Hackers can look for outdated or vulnerable files |
|
Content theft |
Anyone can download images, PDFs, or other assets |
|
Privacy leaks |
Backup or temp files may be publicly viewable |
If you're running a live WordPress site, leaving directory browsing on is like leaving your file cabinet open for anyone to inspect.
How to Disable Directory Browsing Using WordPress Manager
STEP 1: Log in to your cPanel.
There are three methods to log into your cPanel.
- Method 1: Log in to your cPanel directly.
- Method 2: Log in to your cPanel through your Customer Portal.
Through your Customer Portal;
- Log in to your Customer Portal.
- Click on "Log in to cPanel".
- Method 3: Log in using the details sent to your Email.
Through your Email;
- When you purchase a hosting plan, your cPanel login details (including username, password, and cPanel URL) are automatically sent to your registered email address. Simply check your inbox (or spam folder), locate the email, and use the provided credentials to access your cPanel.
STEP 2: Locate the Software section and click on Softaculous Apps Installer.
STEP 3: Click the box for Installations.
An alternative is to select the “All Installations” icon from the menu in the upper-right corner.
STEP 4: Click the WordPress icon next to the installation you want to manage.
STEP 5: In WordPress Manager, select the website you want to secure.
STEP 6: Scroll to the Security Measures section.
STEP 7: Checkmark the box for “Block directory browsing”, and click Apply.
This will:
- Automatically disable file listings in all directories.
- Prevent users from accessing folders without index files.
- Secure your site from snooping bots and attackers.
How to Check If Your Site Is Vulnerable
Try visiting:
https://yourdomain.com/wp-content/uploads/
If you see a list of files instead of a blank page or redirect, it means directory browsing is enabled, and you should disable it immediately.
Frequently Asked Questions (FAQs)
Q: Will disabling directory browsing affect how my site works?
No. Your site will continue to function as normal. Visitors will still be able to access media you’ve embedded in posts or pages.
Q: Can I still upload files and access them via WordPress?
Yes. This only affects how your server responds when someone visits a folder directly. It doesn’t change how WordPress works or handles uploads.
Q: What if I have a plugin that uses public directories?
Most plugins work fine even when directory browsing is disabled. If needed, the setting can be reversed in WordPress Manager.
If you need help, kindly reach out to LyteHosting support.
