How To Protect Your Website by Blocking Directory Browsing Using .htaccess
Potential Hackers Have Been Scanning For Directory Files
After a quick review of our recent website traffic, we noticed that there have been visitor hits on pages that don’t exsist on our website. This means that someone is trying to access pages that could give them access to information that we would rather they not have, like a listing of images in our media libary or the .php files in our include folder. There is a very simple fix to prevent this kind of accidental exposure of information. Noticing these site visitors sniffing around our website was a reminder to me to double check that this type of indexing is blocked on all of our sites and to create a quick tutorial for anyone interested in protecting their own sites.
What it looks like when you allow “directory browsing”:
If you have a folder on your website hosting account that doesnt have an index or home file (example index.php, index.html, home.php), this is what your website displays. When no index file is present, the default is to display a list of the items contained inside the file, with links to open them. MOST of the time, this is NOT what we want to happen. I’ll get into a brief discussion of why later on.
What it looks like when you block access to “directory browsing”:
This is what the same page looks like after you implement the privacy fix. As you can see, instead of showing you the contents of the folder, you are gived an error page saying you aren’t really supposed to be here and we aren’t sharing the contents of this folder. This error page is customizable if you choose, but this is the default message. Much better than sharing all your files.
How To Block Directory Access:
1) Locate the .htaccess file in your root directory and make a backup copy
You can implement this fix on a folder level if you want to allow directory browsing on some pages and not other. Our preference is to block index browsing at the root level, which will protect your entire website. Once you’ve located the .htaccess file on your root directory, make a copy somewhere seperate and safe. Any time you are editing your .htaccess files, the first step is to ALWAYS make a backup copy somewhere safe.
2) Open your .htaccess file and add this code:
Options All -Indexes
There will likely be other exsisting code in your .htaccess file. You want to be be very careful not to change any of this code. You simply want to add the above line of code below any existing code, on a new line. Typically you to use a text editor or a code editor that will not add any accidental formatting or other content to your file. When you save, be sure that the file is saved as .htaccess and that there is no extrafile extension added. (Ex: .htaccess.txt – if this happens, you can delete the file extension .txt)
3) Upload/Overwrite your .htaccess file with the one you’ve just edited
You will now want to update your .htaccess file in your root directory with the file you’ve just edited and saved. Generally you will be using your favorite FTP client (we love FileZilla), or even the file manager provided by your hosting account control panel. After updating your .htaccess file, check your website to make sure everything is working correctly and that your directory pages are now showing the 403 error instead.
Why Block Directory Browsing?
Why would you want to block access to seeing the contents of your website folders? Because maybe you don’t want to offer someone the ability to browse through a list of all the images you use on your website. Maybe you have a pdf or other valuable resource available as a download on your website, that you only send the link to specific people to be able to download…but it could be found by someone browsing through an unblocked media directory page. Or maybe you don’t want hackers or lookie-loo’s to be able to easily browse through your code files or see what plugins you might be using. Why is this information something you want to protect? With intel about what plugins or code you use, it’s easier for hackers to look for possible exploits. It also opens the possibility of your competitors learning your “trade secrets” by figuring out the services, plugins, and code you might be using on your website to have a competitive advantage.
In general, we are not advocates of being fearful and scared of hackers or of competitors, but it’s good to be prudent and to take easy security and privacy precautions. Especially when they are this easy to implement.