Directory Index Guard
Directory Index Guard is a small, light weight, plugin for WordPress that prevents Apache webservers from showing directory listings, commonly called directory indexes. The installation is easy and you can turn off directory listings for all folders with one click. If you are unsure what webserver your site runs on, don’t worry, it will automatically detect and let you know. You can download the plugin from the WordPress marketplace here, or install it through the WordPress Plugin Administrator page.
- Log into your site as the WordPress Administrator.
- Go to the Plugin Menu and click Add New.
- Enter “Directory Index Guard” in the search box. It will be the first result to show up with a blue shield icon.
- Install and Activate the plugin.
Once activated, the plugin configuration will be under the Tools menu on the WordPress Administration page. The configuration page will show you all directories on your server and which ones are vulnerable. Clicking on the “Turn off Directory Listings” button will apply the necessary configuration changes, after which all directories should appear safe.
What is a Web Server Directory Listing?
A web server directory listing, commonly called a directory index, is a list of the contents in a folder stored on your WordPress server. Similar to your local computer directory, a web server has a directory structure for storing files and folders. It can be triggered by typing “/” after any web address. If directory listings are turned on, the server will show all files and subfolders contained in that directory. The file can be viewed or downloaded, and you can move into and out of subfolders like you would on your local computer.
Why are they dangerous?
Often times, backups of critical WordPress configuration files are made before making changes, and then stored in a directory on the server. They can potentially contain your WordPress administrator or database password. The source code for plugins, themes, and administrative functions are also stored in directories on the server. None of these files are intended for public viewing. Hackers can use directory listings to download these files and create a road map of how to exploit vulnerabilities in your site. If they contain your WordPress administrator password, your entire site and all of your customer data is at risk. To make this worse, hackers can scan these files with a script, on millions of websites at a time, and hack your site or sell the information on the dark web. Common identity theft programs may not scan for WordPress configuration passwords. Turning off directory listings is absolutely critical for the security of your site.
How to tell if your WordPress server has directory server listings on
Some common WordPress directories that contain source code and other important files are