WordPress Security Tips, Part 3 – Security Configurations

Heads up – Depending on your webserver’s configuration, activated plugins and/or themes, the following could break some functionality. It is strongly advised to try out any configuration in a testing/staging environment before changing any configuration on production servers.

Prevent Directory Listing

Directory Listing occurs when the web server does not find an index file (i.e. an index.php or index.html), if directory listing is turned on, the server will display an HTML page listing the contents of the directory.

wp pt3 fig1

Directory Listing in Apache HTTP Server on a WordPress site

Disclosure of this information could make a site vulnerable to attacks by revealing information that can be used by an attacker seeking to exploit a vulnerability in a WordPress plugin, theme, or even the web server itself.

While it is not a WordPress-specific security measure to disable directory listing, several WordPress sites running on default installations of Apache HTTP Server have directory listing enabled.

In order to disable directory listing in Apache HTTP Server, you will need to add the following configuration in your WordPress site’s .htaccess file (this is usually located in your website’s root directory).

Options -Indexes

In Part 4 of our WordPress Security series we’ll be discussing WordPress Security Keys.

Read the previous article in the Series on WordPress Security – Plugins and Themes

Share this post
  • A good series of articles.

    Not sure if there’s some formatting problem on this post, but I can’t see the details that you refer to:

    “…add the following configuration in your WordPress site’s .htaccess file…”

    What is it that needs to be added to .htaccess?

  • Leave a Reply

    Your email address will not be published.