How to prevent directory listing using .htaccess
What is directory listing ?
When you access any directory on your server which does not contain an index.html or index.php file, your web browser will display a list of all the files in that directory. Apache web server usually enables directory listing by default.
Why is it important to disable directory browsing?
For example: If you have a directory called “impfiles” on your server which contains important files, you obviously wouldn’t want your visitors to browse through them.
Prevention from hack attacks
Allowing directory listing also makes your website vulnerable to hack attacks. I would recommend everyone to disable directory listing, especially when you have a wordpress website. Attackers can easily gather important information and weaknesses of your website which could allow them to attack your web server.
Here’s the best way to prevent directory listing or directory browsing with .htaccess (hypertext access) file
Download existing .htaccess file from your server
Login to your web server via your favorite FTP client, I use FileZilla.
If you use FileZilla there is a possibility that your .htaccess file will be hidden. To view .htaccess file in FileZilla
Click on ‘server’ from top menu and select Force showing hidden files”
Once you login and locate the .htaccess file (it will be in the root folder) , download it on your computer and open it using any ASCII text editor like notepad, wordpad etc
If .htaccess file doesn’t exist on your server, you can easily create one.
- How to create .htaccess file ?
Open a new notepad file and save as “htaccess” .txt
Upload htaccess.txt file on your server via FTP and rename the file “.htaccess” (Notice the DOT at the beginning of the file)
Once you successfully create .htaccess file, download the same on your computer.
- Open the .htaccess file using your favorite text editor add the following snippet to disable directory listing
You can also use
- Note: * represents a wildcard and will restrict all the files within that folder from getting listed
In a scenario where you just need to restrict specific file types.
For example .ZIP or TXT file
Use below snippet to tell Apache web server to prevent listing of zip and txt file type
IndexIgnore *.zip *.txt
If directory listing is disabled and you wish to enable it, use below snippet.
Save, Upload and Test
Now save your .htaccess file and upload it to your web server via FTP
Once you have uploaded your .htaccess file make sure you check your website thoroughly, .htaccess file controls what server does to your website and one mistake can break your entire site. If in case something went wrong, simply delete your .htaccess file from your web server.