SecurityMedium

Directory listing enabled on WordPress

The web server displays the list of files in /wp-content/uploads/ (and potentially other folders). Anyone can browse your files.

Why it matters

An attacker can map your installation, discover backup files, private documents or identify installed plugins/themes.

How to fix

  1. 1

    Disable via .htaccess (Apache)

    apache
    # At the site root and in wp-content/uploads/
Options -Indexes
  2. 2

    Add an empty index.php in sensitive folders

    bash
    # Create an empty index.php in each folder without an index
touch wp-content/uploads/index.php
touch wp-content/plugins/index.php
touch wp-content/themes/index.php
  3. 3

    Via Nginx

    nginx
    # In the vhost config
location /wp-content/ {
  autoindex off;
}

Related articles

SecuritySensitive files exposed on your WordPress siteSecuritywp-login.php exposed without protection

Ready to fix this issue on your site?

Audit my site for free →