Directory Listing Enabled
Anyone can browse your WordPress uploads folder. One line in .htaccess closes this immediately.
What is this?
When directory listing is enabled, visiting your-site.com/wp-content/uploads/ shows a web-based file browser — a complete, clickable list of every file and subfolder in your uploads directory. That includes images, PDFs, Word documents, spreadsheets, or anything else you've ever uploaded through WordPress. No login or password is required to browse it.
Why does it matter?
This is primarily a privacy issue: any documents you've uploaded to WordPress — invoices, contracts, internal files, personal photos — are publicly accessible. It also helps attackers map your site's structure. By browsing the folder tree, they can identify which plugins you use, find backup files, or locate files that reveal more about your setup. The fix is a single line that takes ten seconds to add.
How to fix it
These steps are written for shared hosting (cPanel, Plesk, or similar). If you have direct server access, see the SSH section below.
Log in to cPanel → File Manager → navigate to public_html.
Open (or create) .htaccess and add this line anywhere in the file:
Options -Indexes
Note: This single directive disables directory browsing across your entire site.
Save.
For developers / SSH access
Edit .htaccess in your site root:
nano /var/www/html/.htaccess
Add:
Options -Indexes
Note: No server restart required — .htaccess changes are immediate.
How to verify the fix
Visit your-site.com/wp-content/uploads/ in your browser. You should now see a 403 Forbidden page instead of a file listing. Re-run your scan.
Re-run your scan to confirm this is resolved →Related issues
Sensitive Files Publicly Accessible
WordPress ships with files that reveal your site version. Learn how to block public access in minutes.
WordPress Version in Page Source
Your WordPress version is visible in every page's HTML. Learn how to remove it with one line of code.
Prefer to have this handled for you? Get this fixed — Simple ($49) →