By It’s a problem known as ‘directory browsing’ and there’s a chance your WordPress website is susceptible to it. This is when someone copies a link to a javascript file or an image on your website, pastes it into their browser, and then instead of viewing the files, views the parent directory of that file.
This in turn allows a hacker, or a very nosey person, to examine all files in a directory. This could lead to big problems later on. For example if a hacker finds an outdated plugin in your plugins folder they might be able to exploit that plugin’s weak code to hack your site, even if the plugin is deactivated.
Question: How would my site allow this?
Answer: Directory browsing is something that has to be turned off in your server configuration. If you’re on a shared host or you’ve setup your own server, there’s a good chance you have directory browsing enabled by default. (see the list of web hosts that allow this by default at the end of the article.)
This is also a potential SEO problem as we’ve discovered sites that have directory browsing enabled had various images and files indexed by Google even though they were never linked from anywhere. If you’re hoping to optimize your WordPress SEO, this might be one tactic that helps you achieve that goal. There’s a thing in SEO known as ‘crawl allowance’ or ‘crawl budget’ which essentially means that engine budgets only limited time and resources to crawl content on a website. This has been admitted to over the years by the engines and is an obvious thing they would do for economical reasons. While all engines have a crawl budget of some sort most likely, none have ever admitted to directory browsing and might even say that if we see it happening that would be an anomaly. When a directory isn’t protected and is open to browse, instead of a web page being shown by your browser (or the code seen by a bot), it will show a list of items in the directory and links to them. This can lead to a search engine crawling far too many documents on your site and indexing them.
If you don’t have access to the server software such as Apache, you could potentially disable directory browsing by uploading an index.html or index.php file to each directory level. However, WordPress creates a new uploads folder for each year and month by default. Then to keep directory browsing turned off you would need to remember to always upload an index. file to the newly created directory. You’d also need to do this pretty much any time you install a new plugin as well.
Not only is this really mundane and repetitive, but it might also lead a search engine to try and add your index file to their search results index, returning to crawl it over and over again. There are of course ways to handle this potential problem with code too, but none that resolve the repetitive mundaneness of the task.
If you’re on an Apache server, you are in luck. There is a simple way to handle this problem with just a single line of code.
Simply copy this line of code:
Options All -Indexes
And paste it at the top of your .htaccess file and save the file.
This will display a 403 Forbidden error message instead of allow users or bots or search engines or hackers or blackhat SEOs or nosey people to dig through your direct structure, helping provide a little additional security (by obscurity) and a little SEO boost.
You can find your .htaccess file in cPanel’s File Manager in the root of the domain for the website you’re working on.
OR
If you’re using the Yoast SEO plugin you can find it under Yoast -> Tools -> File Editor
Web hosts Known to Allow Directory Browsing by Default
These are popular web hosts which we’ve experienced allowing directory browsing. Have more? Let me know in the comments.
- HostGator
- InMotion
- MediaTemple
- BlueHost
- GoDaddy
- Dreamhost
- TsoHost
Web hosts Known to Stop Directory Browsing by Default
There is only one web host we are aware of that disallows directory browsing automatically
- SiteGround