If Directory Listing is enabled on your site, this can lead to information leakage. We recommend disabling Directory Listing.

Disable Directory Listing

Most web servers allow any user to browse the directories (folders) when no index file is available. This can lead to information leakage and help an attacker when trying to compromise your site. In order to improve your security, you should disable this option.

Disabling directory browsing on Apache

To disable directory listing on Apache, add the following line to your .htaccess file:

Options -Indexes

Here is an example of where I put this into effect. It is a WordPress website.

I opened the File Manager, adjusted the Settings to show hidden files, and viewed the folders in the public_html folder. 

I found that the public_html folder, where your website resides, had an index file, and so did the wp-admin folder and the wp-content folder. However, the wp-includes folder did not have an index file.

In my web browser, I pulled up the site and appended that folder to see what would happen:  domain.com/wp-includes. It showed me a directory listing of all files in that folder! Right on the web! Well, we certainly don't want that, so here is what I did to fix this:

  • In File Manager (with hidden files showing) I selected the wp-includes folder, created a file and named it .htaccess
  • After saving that, I opened the file and put in the line Options -Indexes and saved the file.
  • Now when I visit that folder in my browser (domain.com/wp-includes), instead of seeing a directory listing of the folders and files in that folder, I see an ERROR 403 - FORBIDDEN message.

And that's how you disable Directory Listing of your site on the internet. Stay tuned for more articles about securing your website from compromise.

Be safe, be well, 

Nancy Cole

Tuesday, June 30, 2020

« Back

Powered by WHMCompleteSolution