Preventing The Directory Browsing

Posted on May 13th, 2011

By default, most hosts allow directory listing. So, if you type www.yourblog.com/wp-includes in the browser’s address bar, you’ll see all of the files in that directory. This is definitely a security risk, because a hacker could see the last time that files were modified and access them.

Add the following to the Apache configuration or your .htaccess file:

Options -Indexes

Please note that it’s not enough to update the blog’s robots.txt file with Disallow: /wp*. This would prevent the wp-directory from being indexed, but will not prevent users from seeing it.