Q: How do you keep people from stealing your reports, images, and other files you have stored on your hosting server? A: By disabling access to your websites directory.
If you have shared hosting many of your files are open to inspection by anyone who has an interest.
This includes files you are using for redirects, images, pdf’s, etc.
The reasons to disable your directory browsing is for privacy of course, but it will also help protect your site against hackers because it will hide your files making you less vulnerable to attack. You are more susceptible to hackers if they can see your themes, plugin’s etc. Often hackers are looking for a particular theme or plugin because they have already found a way to exploit it.
The directory is the default page the web server will go to if you don’t have an index file directing otherwise. Here is a sample of what a directory tree of your website will look like.
How to Disable Directory Browsing in cPanel
This works like a charm for your shared hosting with cPanel.
Step 1.
Log in to your cPanel
Step 2.
Click on Index Manager
Step 3.
The directory tree will display. Select what level or folder you want disabled.
If you want to disable the entire site then select “Up One Level” and select the domain.
Step 4.
Select No Index and SAVE.
Step 5.
That should do it. Now when someone tries to access your files they will see a “403 Forbidden” HTTP status code notice that will tell the user your files are not accessible.
.htaccess Method to Disable Directory Website Listings for Blogs
If you don’t mind altering files then you can simply add one line to your .htaccess
file.**
Step 1.
Log into your hosting or connect via FTP.
Step 2.
Download the .htaccess
file
Step 3.
Open in a plain text editor.
Step 4.
Just add this line at the bottom.
Options -Indexes
Step 5.
Upload new .htaccess
file
In many hosting companies you can do the edit online with your hosting companies editor.
**Cautionary Note when Messing with Files
I always save the old file under a different name by adding a prefix – just in case I screw up. Which I tend to do from time to time.
For example I would save the old .htaccess
file as OLD010214htaccess. Now you have recorded the date of the change as well as knowing I have a working backup.