A common WordPress configuration error is permitting directory listing or directory browsing as it is also known. Unless you have a specific use case where you have to have directory listing enabled, this should be disabled as it is information disclosure vulnerability.

All web servers render pages in a specific order when a browser request is made. If an ‘index / default’ file is present in the folder that the browser requests, the web server will render it. Examples of index / default files are index.htm, index.html, index.php, home.html etc. If however none of the predefined index /default files are not present the web server will render a directory listing unless it is configured not to do so. Below is an example of what happened when I went to the wp-includes directory by typing http://<ServerIP>/wp-includes on an Apache web server.

Naturally you do not want visitors to see this listing. Firstly it is not really good to look at and secondly it provides information that could be used by hackers to compromise your WordPress instance.

Hide Directory Listing in Apachae with a PHP File

On the same server that I am using to demonstrate this post if I navigate to http://<ServerIP>/wp-content which is a valid WordPress path I am presented with a blank screen. Navigating to the wp-content folder on my server I can see that an index.php file has been included here which is what the the web server is rendering. If I look at the contents of that file it simply has the following text:

<?php

// Silence is golden

This is basically a blank php document with a comment inserted by the WordPress team of ‘Silence is golden’. See screen clipping below for the details.

If we want to have the same effect on my wp-includes directory we can enable this by simply copying the index.php file from wp-content to wp-includes by using the following command

sudo cp /var/www/html/wp-content/index.php /var/www/html/wp-includes

In this instance I am running WordPress in the Apache root directory on Ubuntu. If you are running your WordPress in a sub-directory you would need to amend the file paths accordingly.

If you have installed plugins etc which create new folders in the WordPress root directory i.e. the directory that includes the folders: wp-admin, wp-content and wp-includes then you would need to perform the same step if that directory has no index / default file.

Finally, from a security perspective the browser listing is now secure but from a usability perspective you may want to create an html or php page with an image or some sort of navigation to get the user back to your home page. Assuming of course they got to your folder listing by accident.

Disabling Directory Listing on Apache

You can also accomplish this by disabling this feature on Apache if you are running this as your web server. Go to /etc/apache2/apache2.conf and amend as per the example below. Note you remove Indexes from the Directory configuration section of the configuration file.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>