Skip to content

Directory Index Guard

WordPress Plugin

Directory Index Guard is a small, light weight, plugin for WordPress that prevents Apache webservers from showing directory listings, commonly called directory indexes.  The installation is easy and you can turn off directory listings for all folders with one click.  If you are unsure what webserver your site runs on, don’t worry, it will automatically detect and let you know.  You can download the plugin from the WordPress marketplace here, or install it through the WordPress Plugin Administrator page.

How to Install
  1. Log into your site as the WordPress Administrator.
  2. Go to the Plugin Menu and click Add New.
  3. Enter “Directory Index Guard” in the search box.  It will be the first result to show up with a blue shield icon.
  4. Install and Activate the plugin.

Once activated, the plugin configuration will be under the Tools menu on the WordPress Administration page.  The configuration page will show you all directories on your server and which ones are vulnerable.   Clicking on the “Turn off Directory Listings” button will apply the necessary configuration changes, after which all directories should appear safe.

What is a Web Server Directory Listing?

A web server directory listing, commonly called a directory index, is a list of the contents in a folder stored on your WordPress server. Similar to your local computer directory, a web server has a directory structure for storing files and folders.   It can be triggered by typing “/” after any web address.  If directory listings are turned on, the server will show all files and subfolders contained in that directory.   The file can be viewed or downloaded, and you can move into and out of subfolders like you would on your local computer. 

Why are they dangerous?

Often times, backups of critical WordPress configuration files are made before making changes, and then stored in a directory on the server.  They can potentially contain your WordPress administrator or database password.  The source code for plugins, themes, and administrative functions are also stored in directories on the server.  None of these files are intended for public viewing.  Hackers can use directory listings to download these files and create a road map of how to exploit vulnerabilities in your site.  If they contain your WordPress administrator password, your entire site and all of your customer data is at risk.  To make this worse, hackers can scan these files with a script, on millions of websites at a time, and hack your site or sell the information on the dark web.  Common identity theft programs may not scan for WordPress configuration passwords.  Turning off directory listings is absolutely critical for the security of your site.

How to tell if your WordPress server has directory server listings on

If your WordPress server has directory listings are turned on, when you type http://www.yourdomain.com/wp-includes/js/ or http://www.yourdomain.com/wp-admin/includes/  you will get a list of files and folders.  It will look something like the image below.

Some common WordPress directories that contain source code and other important files are

  • http://www.yourcomain.com/wp-admin/includes/
  • http://www.yourcomain.com/wp-admin/js/
  • http://www.yourcomain.com/wp-admin/includes/js
  • http://www.yourcomain.com/wp-includes/js/
  • http://www.yourcomain.com/wp-content/upgrade/
  • http://www.yourcomain.com/wp-content/plugins/
  • http://www.yourcomain.com/wp-content/themes/
  • http://www.yourcomain.com/wp-includes/
  • http://www.yourcomain.com/wp-includes/theme/
  • http://www.yourcomain.com/wp-includes/widgets/

What to do if directory listings are enabled?

While this is not a problem that will be visible to your users, it is a serious security risk that needs to addresses as soon as possible.  There are several ways to disable webserver directory listings and each of them depends on how your WordPress site is setup.  Researching and applying the correct fix for your site can be time consuming.  Once you have finished, you need to validate that the fix has worked on all directories for your website.  Our Directory Index Guard WordPress plugin will fix this problem with one click.  It is easy to install and you can have peace of mind in knowing that this issue will be taken care of properly.