Best Way to Prevent Directory Listing Using .htaccess

by Rahul Bansal (515) on 15 October, 2008 | Categories : Developers, Security, Wordpress

Sponsored Links

Directory listing allows a person to see list of files and folders of a targeted directory on your website. This is something not serious itself but may help someone to launch attack on your site.

So it is good practice to turn-off or prevent directory listing by default and then, if needed, allow directory listing selectively. Yes, there are times when you want to enable directory listing for some directories. I will come to this later. Before that…

To Turn-off or Prevent Directory Listing Sitewide…

  1. Open .htaccess file in your websites root (/) directory. If it is not present, then create one. DO NOT forget . (dot) in the name of .htaccess.
  2. Add just one line in the beginning as follows and save/close .htaccess file.

Options –Indexes

That’s it. With just one line of code in one file, sitewide directory listing is disabled. Next…

To Turn-on or Allow Directory Listing…

  1. Go to the folder for which you want to allow directory listing.
  2. Open .htaccess file in that directory. If it is not present, then create one.
  3. Add just one line in the beginning as follows and save/close .htaccess file.

Options +Indexes

That’s it. Now the directory and all sub-directories under it will have directory listing enabled.

If you have well organized website structure, you will only need 2 .htaccess files. At Devils Workshop, I prevented directory listing sitewide by creating a .htaccess file in it. And then I created another .htaccess file under /pub directory as I keep all publicly accessible file under it.

I feel all bloggers who are using self-hosted Wordpress setup should follow this. Wordpress is quite secure, but plugins you are using on Wordpress may have some security flaws. Now a person can use directory listing to get list of plugins you are using and depending on it, can launch an attack on your site. So its better to play safe… ;-)

If you do not have permission to create or edit .htaccess files on your webserver, you can still secure your sensitive directories by creating a blank file named index.html in them. This way remember to create such index.html files for each directory you want to protect. I know it sounds a lot of work and chances are you may miss some sub-directories on the way. But that is what makes .htaccess method best!

Related: Check our Wordpress plugins series

Share and Enjoy:
  • Digg
  • del.icio.us
  • IndianPad
  • StumbleUpon
  • Technorati
  • YahooMyWeb
  • Furl
  • Reddit
  • Google
  • TwitThis
  • Facebook
  • Slashdot
  • SphereIt
  • blogmarks
  • MisterWong

If you like this post, you may subscribe to my RSS feed or email alerts to receive automatic updates in future! Thanks for reading... :-)

Comment RSS · TrackBack URI

3 Comments (including Pingbacks/Trackbacks) so far »

  1. #
    Gautam on October 17, 2008

    Thanks for Sharing :-)

  2. #
    Rahul Bansal on October 18, 2008

    @Gautam
    Welcome bro… :-)

  3. #
    Chetan Gole on November 30, 2008

    This trick is very usefull when we are using any paid script or any custom made CMS to protect our files from rippers.
    Really usefull.

Leave a Comment

 Name (Required)
 E-mail (Required)
 Website

Comment:

  OR Use forum if posting unrelated to this topic.
[Note: All comments will be moderated as per our comments policy.]

Subscribe without commenting