Block Directory Browsing stops Apache from generating an index page when someone visits a directory that doesn’t have an index.php or index.html. Instead of seeing a list of every file in wp-content/uploads/2024/03/, visitors get a 403 Forbidden.
What this feature does
By default, Apache lists the contents of any web-accessible directory that doesn’t contain an index file. WordPress puts a tiny index.php in wp-content/ and wp-includes/ for this reason, but the protection isn’t universal: wp-content/uploads/… typically has no index file, and neither do most plugin and theme directories.
Without protection, anyone visiting https://yoursite.com/wp-content/uploads/2024/ sees a list of every file you’ve uploaded. That’s a privacy leak (private PDFs, draft images), an information leak (filenames hint at internal processes), and an aid to attackers who want to enumerate plugin versions.
This setting writes a one-line .htaccess rule that disables directory listing for the entire site. Requests to a directory without an index file return 403 Forbidden.
How to enable it
- Open AdminEase › Security. Click AdminEase in the WordPress admin menu, then switch to the Security tab.
- Toggle Block directory browsing on. Save settings.
-
Verify.
Visit
https://yoursite.com/wp-content/uploads/in a browser. You should see a403 Forbiddeninstead of an HTML list of folders.
This is one of the cheapest security improvements you can make. There’s no downside: anyone who needs a specific file (like an image embedded in a post) accesses it by its full URL, not by listing the directory. Listing only ever helps attackers.
Settings reference
| Setting | What it does | Default |
|---|---|---|
| Block directory browsing | Adds Options -Indexes to .htaccess, disabling Apache’s automatic directory listings site-wide. |
Off |
What gets written to .htaccess
# BEGIN AdminEase
Options -Indexes
# END AdminEaseThe Options -Indexes directive tells Apache to stop generating directory listings. It applies to every directory under the document root unless individually overridden by another .htaccess file deeper in the tree.
What happens behind the scenes
This is one of the simplest security settings. AdminEase writes the directive into a managed block in your .htaccess file. Anything outside the AdminEase block is left untouched.
Most well-managed hosts already disable directory browsing at the server level. If yours does, this setting has no additional effect (which is fine). If it doesn’t, this setting closes the gap.
Troubleshooting
I’m on Nginx and the rule doesn’t apply
Nginx handles directory listing separately and disables it by default. You don’t need this setting on Nginx; the protection is already in place.
A specific directory still shows a listing
Check whether that directory has its own .htaccess file with Options +Indexes, which would override the site-wide setting. Remove or modify that override.
I want to allow listing for one specific directory
Add a .htaccess file inside that directory containing Options +Indexes. The directive deepest in the tree wins.
Apache returns “Internal Server Error” after enabling
Some hosts disable the Options directive in their global Apache config (AllowOverride None or AllowOverride not including Options). In that case, AdminEase’s rule causes a 500 error. Either remove the Options directive (toggle this feature off) or ask your host to allow Options overrides in .htaccess.