How to Prevent Directory Listing of Your Website

[vc_row center_row=”yes”][vc_column][vc_row_inner][vc_column_inner width=”1/3″ style=”default” visibility=”” css_animation=”” drop_shadow=”” bg_style=”stretch”][vc_single_image image=”3002″ img_size=”medium”][/vc_column_inner][vc_column_inner width=”2/3″ style=”default” visibility=”” css_animation=”” drop_shadow=”” bg_style=”stretch” padding_right=”50px”][vc_column_text]Can anyone find out the contents of your website folders? If so, you need to prevent directory listing.[/vc_column_text][vc_empty_space height=”15px”][vc_column_text css=”.vc_custom_1444178339626{border-top-width: 2px !important;border-right-width: 2px !important;border-bottom-width: 2px !important;border-left-width: 2px !important;padding-top: 10px !important;padding-right: 10px !important;padding-bottom: 10px !important;padding-left: 10px !important;background-color: #edf7d4 !important;}”]Note that this solution only works if you’re website is running on an Apache server. Here’s how you can tell. Go to http://builtwith.com and enter your domain name. The first result tells you the Web Sever, and you want it to say “Apache.”

Technical note: If you’re running on Siteground, they use Apache as their web server as of the writing of this article, however, you may see “nginx” if you are using their Cloudflare caching. In this case, the .htaccess solution presented here will still work.[/vc_column_text][vc_column_text css=”.vc_custom_1437155036655{margin-top: 15px !important;}”]Watch today’s episode to find out whether your address is vulnerable, and learn how to keep it safe.[/vc_column_text][vc_empty_space][/vc_column_inner][/vc_row_inner][/vc_column][/vc_row][vc_row full_width=”stretch_row” center_row=”yes” css=”.vc_custom_1444178400586{padding-top: 20px !important;padding-bottom: 15px !important;background-color: #0c173d !important;}”][vc_column][vc_raw_html]JTNDZGl2JTIwc3R5bGUlM0QlMjJ0ZXh0LWFsaWduJTNBY2VudGVyJTNCJTIyJTNFJTNDaWZyYW1lJTIwd2lkdGglM0QlMjI4NDAlMjIlMjBoZWlnaHQlM0QlMjI0NzMlMjIlMjBzcmMlM0QlMjJodHRwcyUzQSUyRiUyRnd3dy55b3V0dWJlLmNvbSUyRmVtYmVkJTJGckFXTk5MZWRTbEklM0ZyZWwlM0QwJTI2YW1wJTNCc2hvd2luZm8lM0QwJTIyJTIwZnJhbWVib3JkZXIlM0QlMjIwJTIyJTIwcmVsJTNEJTIyMCUyMiUyMGFsbG93ZnVsbHNjcmVlbiUzRSUzQyUyRmlmcmFtZSUzRSUzQyUyRmRpdiUzRQ==[/vc_raw_html][/vc_column][/vc_row][vc_row center_row=””][vc_column][vc_row_inner][vc_column_inner style=”default” visibility=”” css_animation=”” drop_shadow=”” bg_style=”stretch”][vcex_spacing][vc_message message_box_color=”green”]URL to test whether you have this problem:

http://.com/wp-content/uploads

Code to add to .htaccess:

Options -Indexes[/vc_message][vc_column_text]

Prevent Directory Listing (Transcript)

Hi there. This week I’m checking in with you to find out whether your website is safe from the prying eyes of potential hackers. Stayed tuned, and I’m going to do a little test with you to find out whether your site is vulnerable, and if it is, I’ll show you how to fix it.

Hi, I’m Julie Waterhouse from Stress-Free Website Solutions. I want to check with you to find out whether your site is revealing too much to potential hackers. By default the server where all your files for your website are stored enables something called directory browsing, or directory listing. What that means is that people can go and look inside all the folders that are on your server. You don’t want them to be able to do that because it’s revealing too much about the contents of your website and allowing them to potentially exploit vulnerabilities.

What you want to do to test is to go to the following URL. You’re going to substitute your website for mine. I would go to http://juliewaterhouse.com/wp-content/uploads. If you’re watching this on juliewaterhouse.com, that URL is just below this video. You swap out juliewaterhouse.com for your domain name and go there and see what you see.

If You See Error 403: Access/Permission Denied…

If when you browse there you find you get an error message, a 403 error, 4-0-3 error code, or something that says “access denied” or “permission denied,” that’s good. That’s exactly what you want, because you don’t want just anybody to be able to see the contents of your files. That would include your plugin files, your theme files, all the media that you upload to your media library. Those are the things we’re trying to protect. If you get access denied, you’re all done. You’re safe, and I’ll see you next time!

If you see a listing of your folders…

If, on the other hand, you do see a listing of your folders and their contents, we need to fix that. I’m going to share my screen with you now and show you exactly what you need to do to do that. What we’re going to need to do is login to your host, go on your server and find one specific file and add one line to it. That’s going to make you safe from this vulnerability. Here we go. Let me share my screen.

Sharing my screen…

I’m here in my browser now and I’m at the URL juliewaterhouse.com/wp-content/uploads. For the purposes of this demo only I’ve turned off the security to protect against directory browsing. I wanted to show you exactly what would happen. When you come to this URL you can actually see the contents of all the directories in my home directory, which is exactly what I don’t want you to see. Now let me show you how to fix it.

Fixing it from cpanel

I’m going to switch over now to another window. Now I’ve logged in to my host. I’ll go up to the top here. My host is SiteGround. You might be hosted somewhere else. I’m in my CPanel. Most hosts have a CPanel interface; some don’t. What you’re looking for is a way to edit the files on your server. In CPanel you want to scroll down and look for file manager. I’m going to click on file manufacturer. Then you want to make sure that this checkbox is checked to show hidden files because the file that we’re going to edit is what they call a do not file, called .htaccess. Check that. Make sure the document root is set to be the root for the website that you want to fix, and then click go.

This will open up a new window. This has all the folders and files that are on our server for our website in our home directory. The one we’re looking for is this one here. It’s called .htaccess.

Back up first!

Now this is an important file for your website, so before you do anything you want to go ahead and make a backup. To make a backup, with the file highlighted go up and choose copy. Then copy file to; you’re going to put /.htaccess-back, or anything else, number two, just as long as you have a second copy of the file. Then hit copy files. That way, if anything goes wrong you have a version you can revert to that you know works. Here’s our backup copy. Here’s our original.

Edit .htaccess

Now we’re going to go ahead and edit the original file. Highlight it and click edit. Another window will open with the contents of the file. This is like a text editor. Now, to prevent directory listing, we just have to add one line, and I’m going to put it right at the bottom. Scroll all the way to the bottom, put your cursor there, create a new line. Then I’m going to put a comment. Comments start with the hash or number sign character. I’m going to say disable directory browsing because that’s what we’re going to do, and then a new line.

Then all you need to say is Options -Indexes. You can copy and paste this from a line that I have below this video if you’re watching it on juliewaterhouse.com. Just copy and paste it into your file. That’s all you need. Then I’m going to hit save. I can close the file.

Testing the ressult

Then I’m going to return to my window where you could see my directory listing. I’m going to refresh this. All of a sudden you get a 403 forbidden error. That’s exactly what you want to see. Now someone else who comes along and tries to view this directory won’t be able to. That’s what you want. That’s all there is to it.

The only other thing I would do, because you’ve been touching the htaccess file, is just go to the root of your website and just make sure everything is still working as you expect it. If it does, you’re good to go. That’s all.

Share the love

That’s it. If you found this tip useful, please I encourage you to share it with your friends and colleagues. If you’re not watching this over on juliewaterhouse.com, hop on over and make sure you get signed up for my newsletter where I share tips and tricks like this and things that I only share with my subscriber. The quickest way to get on the list is to text WordPress to 1-855-969-5300. That’s it for this week, and I’ll see you next time.[/vc_column_text][/vc_column_inner][/vc_row_inner][/vc_column][/vc_row]

Leave a Comment