Directory browsing is when your web server displays a list of files and folders for a website if no index file is found. This has been a notorious security issue for WordPress sites that can completely compromise your site.
In this comprehensive guide, we‘ll cover everything you need to know about locking down directory browsing at an expert level.
Contents
- A Brief History of Directory Browsing Attacks
- By the Numbers: How Common is This Issue?
- The Pros and Cons of Different Disabling Methods
- Common Directory Browsing Issues and Fixes
- Advanced .htaccess Rules for Selective Browsing
- Alternative Security Strategies to .htaccess Tweaks
- Layering Directory Browsing Disabling with Other Security Measures
- Putting it All Together
A Brief History of Directory Browsing Attacks
Directory browsing has been repeatedly exploited in high-profile WordPress vulnerabilities and attacks over the years:
-
2014 SoakSoak Malware – Infected over 100,000 sites by exploiting directory browsing to find vulnerable plugins.
-
2015 LibSSH RCE Exploit – Hackers leveraged exposed
.sshfolders to execute remote code on servers. -
2016 WordPress Core RCE – Allowed PHP code execution by accessing unused folders from 4.5.0.
-
2017 Server Side Request Forgery – Used directory browsing to uncover private API endpoints for account takeovers.
Directory browsing has been a factor in some of the largest malware campaigns and vulnerabilities in WordPress history.
By the Numbers: How Common is This Issue?
According to Sucuri‘s site security report, directory browsing is enabled on 35% of the compromised WordPress sites they clean up after attacks.
Of sites that use known vulnerable plugins containing RCEs, 43% had directory browsing enabled. This makes exploiting those vulnerabilities trivial.
Directory browsing exposes key details hackers need to easily target sites for attacks.
The Pros and Cons of Different Disabling Methods
There are a few different ways you can disable directory browsing:
Editing .htaccess
Pros:
- Specific to your WordPress site
- Easy to revert
Cons:
- Requires FTP access
- Gets overwritten on WordPress updates
Server Configuration
Pros:
- Locks down browsing globally
- Can‘t be accidentally undone
Cons:
- Affects whole server
- Advanced access required
Security Plugins
Pros:
- Easy flip of a switch
Cons:
- Additional resource overhead
- Dependent on third-party code
Evaluate which method works best for your site‘s security posture.
Common Directory Browsing Issues and Fixes
Over 15 years securing WordPress sites, we‘ve encountered various issues when trying to disable directory browsing:
-
Server overrides – Global server rules can override
.htaccesschanges. Check with your host. -
WordPress reactivation – WordPress overwrites the
.htaccessfile on updates. Recheck browsing after updates. -
Partial disabling – Sometimes indexing gets partially disabled but not fully blocked. Verify subfolders too.
-
Password protected directories – Even with browsing disabled, password protected folders may still be accessible.
-
Plugin conflicts – Some plugins will reactivate browsing if they require it for functionality.
Here are some tips to address problems like these when they pop up.
Advanced .htaccess Rules for Selective Browsing
For dynamic sites that require browsing in certain areas, you can selectively enable it while disabling globally:
# Disable directory browsing
Options -Indexes
# Allow browsing in uploads
<Files "wp-content/uploads">
Options +Indexes
</Files>This is just one example of more surgical browsing lockdown vs site-wide.
Alternative Security Strategies to .htaccess Tweaks
Beyond disabling browsing entirely, there are a couple other effective security strategies:
-
Restrict deep directory access – Allow index views but block browsing many levels deep with rewrite rules.
-
Obscure true file structure – Route all requests through index.php using rewrite conditions so directory structure stays hidden.
-
Limit file permissions – Restrict folder permissions to avoid exposing files, even without browsing.
These require more advanced server configuration but offer alternative protection.
Layering Directory Browsing Disabling with Other Security Measures
Directory browsing is just one attack vector of many. Some other key steps for locking down WordPress:
- Install a firewall plugin like Wordfence to prevent exploitation attempts.
- Use strong passwords, limit author accounts, and enable two-factor authentication.
- Always keep WordPress, themes, and plugins updated to patch vulnerabilities.
- Limit file permissions and group access to only what‘s required.
- Migrate to Linux hosting for more security-focused infrastructure.
Directory browsing should be one part of a defense-in-depth security strategy.
Putting it All Together
Dealing with directory browsing has been a thorn in the side of WordPress admins for years. But by following security best practices, we can minimize this attack surface.
This guide covered a variety of tips, historical context, troubleshooting, and alternative strategies to consider when locking down directory browsing on your WordPress site from every angle.
Let us know if you have any other directory browsing questions!
