If you’ve ever visited a URL that leads to a directory that does not have an index file, you’ve probably seen a list of the files in the directory. That means indexing is turned on for that online folder.
That is the default configuration for most web servers. In most cases, though, we don’t want to display the contents of a directory. Listing our files like that is a breach of privacy. But worse, it can be a security risk.
So let’s prevent it from happening on our sites. In this tutorial, I’m going to show you how to disable directory listing using cPanel.
There are a couple of different ways to turn off directory indexing using cPanel. We’ll start with configuring the indexes directly.
Disable Directory Listing in cPanel
Log in to cPanel.
In the “Advanced” section, click the “Indexes” link or icon.
You’ll see the directory structure for your website.
To enter a directory, click the folder icon.
To configure a directory—to turn indexing on or off—click the directory name.
In this tutorial, we’re going to turn indexing off for only one directory. So we’ll click the folder icon for public_html.
Once we’re in the public_html directory, we’ll click the name of the directory where we want to turn off indexing.
Select the “No Indexing” option and click the “Save” button.
The other available options:
- Default System Indexing is the default set by your hosting provider. It could be on or off.
- No Indexing disables directory listing. That’s what we’re doing in this tutorial.
- Standard Indexing allows directory listing. This makes the names of the files and directories visible to visitors.
- Fancy Indexing also allows directory listing, but a visitor can see the file names and directories as well as file descriptions.
The success message should say, “…indexes are now: Off”
Now if you go to the URL, instead of a file list you should see a 403 error.
Using cPanel File Manager to Disable Directory Listing in cPanel
Our destination here is the same as the previous method, but we’re taking a different route to get there. If you work in the cPanel File Manager a lot, you may prefer this method.
In the “Files” section of cPanel, click the “File Manager” link or icon.
You want the directory name to be in the right pane. So for our example, we click “public_html” in the left pane to get our “demo” directory listed in the right.
Click the directory name to select it, then right click. Mac users may use CMD+click to open this list.
From the drop-down menu, select “Manage Indices.”
Now we’re back at the same “Indexes” page that we saw in the first method.
Select the “No Indexing” option and click the “Save” button.
Is It Really Dangerous to Allow the Listing of Files in a Directory?
Not always.
There are situations where you may want to allow public access to a list of files. Though directory listing to expose file names and links is less commonly used than it used to be.
Modern websites will usually format downloadable file lists to match the layout of the site.
In the example here, I listed the contents of a directory that contained images. That in and of itself is not a security risk. All it allows is the downloading of the images.
Where we run into potential problems is when we allow the listing of more sensitive files.
Listing files for an application that is written in PHP or a similar language where configuration or included files might be stored in a publicly accessible directory could make your site (or even your server) vulnerable.
A WordPress configuration file, for example—the wp-config.php file—contains everything someone would need to access your database. And it’s all there in plain text. Files like those should obviously be kept from view.
But others, like include files, can contain “clues” that could lead to increased hacking vulnerability.
An Ounce of Prevention…
Best practices tell us not to store those kinds of configuration files in public directories, but it’s something that most of us are guilty of doing. I mean, WordPress does it, so how bad could it be, right?
Even if we don’t do it on purpose, there are ways we can inadvertently expose sensitive files, so turning directory indexing off everywhere there’s the potential for a problem can’t hurt.
Have you ever checked your directory indexing? Are there cases you can think of where you would purposely want to list files in a directory?