I recently discovered that a few of my websites had an open directory security hole and if you are using the content management system WordPress that your website has this vulnerability too. I decided to patch this hole by disabling directory browsing as I will show you how to do in this article. This tutorial is written for those that are on WordPress and hosted by Hostgator and includes the latest information for the updated or new Hostgator control panel.
Why I decided to do this tutorial?
I decided to create this guide as all the other guides I found either did not have the information needed or showed the old outdated Hostgator Cpanel which has changed so you will definitely be confused with most of the other tutorials showing you an older interface and things have changed since then.So if you are using Hostgator as a Host and WordPress this tutorial is for you.
For those with another Host you can still follow the guide but you will have to figure out all that’s shown on your Hosts Cpanel or server that hosts your content.
The Issue with Open Directory on your WordPress website
With Open Directory on your website anyone with the know how can view your Wp-includes or Wp-contents folder which can spill private data about your website which can be used by attackers to breach said website. So it’s a smart Idea to disable Open directory and make it that much harder for attackers to break into your website.
How to Disable Directory Browsing on WordPress website hosted by HostGator?
1.To check if your website is exposed go ahead and type into the browser: MyWebsite/wp-includes/ and load with Mywebsite being your actual website. If you see a page with a bunch of links then you have the Open Directory Security hole. However if your are covered then the page should load a 403 Forbidden page, be blank or anything else but your entire directory.
2.So if you are exposed simply go ahead and log into your HostGator Cpanel.The Cpanel is updated and if its been a while you will notice the new interface. Now navigate to Files and then to File Manger.
3.If you have one website on a basic Plan or you want to fix the issue for your main website then you are were you need to be. However if you have multiple domains then you will need to click on the Public_html_folder and then click on the folder with the name of the website in question.
4.Now click on settings in the upper right and check the show hidden files option and save. You will now be able to see hidden files such as .htacess which if you were looking for before you could not see it as it was hidden. Now right-click on the file and download for safe keeping in case you mess up.
5.Now here comes the fun part, right click and edit and when the message appears click edit again. Your .htacess file is now open. Scroll down and beneath the last line add the following in its own line: Options -Indexes
Next save and go back to the MyWebsite/wp-includes/ which you loaded earlier with MyWebsite being your Blog or website. You will notice this time that the directory does not load and instead gives a Forbidden error. That’s it directory browsing is now disabled.
I messed up the .htacess file and I am having issues with my website
No problem simply upload the copy the .htacess file you downloaded earlier before modifying the file. Click upload in the File Manger and upload the file to either replace the existing on which should be easy. Once replaced the replacement file from the backup should return things to before you modified the file.
Why I can’t I see my .htacess file on the server?
As mentioned above the .htacess file is hidden by default and until you set your HostGator Cpanel File Manger to show hidden files you will not see it. Also a note to those that backup your .htacess file to your Windows PC, I have notice that Windows tends to remove the dot from the file. So if you need to upload it once more from the menu in the file manager you will need to upload and then you can rename and add the dot back in its place.
If you have any questions on How to Disable Directory Browsing on WordPress website hosted by HostGator then please ask below and do take the time to share as well as check out our other contents on the website.You may also want to enable SSL on your website as shown here for those on HostGator.