How to stop people viewing files in a directory
I was speaking to John Lessnau via email yesterday about the WordPress plugin for LinkXL (which I am planning on reviewing soon). The site scans your website and looks for keywords etc but it wasn’t able to do it.
John then pointed to my plugin directory and said that one of the many plugins installed was conflicting with theirs. I pointed out that I didn’t actually have that many plugins installed and had just tried a few out (ie. most were not activated) but what did concern me was that everyone could see my plugins. I am not an expert with htaccess but I’m familar with most basic techniques. I’ve just been lazy and taken the time to hide my folders from the general public. Thankfully it is painfully easy to do this!
How to stop people viewing files in your directories
By default, everyone can see the files you upload to a directory (unless there’s an index file). Commonly, most webmasters forget to protect their images and banners folders. I cannot criticize anyone for this as I am quite lazy in this regard too and there really is no excuse as it’s incredibly easy to stop people viewing files in your directory.
To protect a directory from listing files all you need to do is upload an .htaccess file to the directory with the following :
IndexIgnore *
The * is a wildcard, a catch all that stops all files from being listed. You could of course only only ban certain file types. For example, if you wanted to stop your word documents but were happy with the graphic files being listed you could use :
IndexIgnore *.doc
Personally, I prefer to put all information in the root .htaccess file instead of uploading seperate .htaccess files to several directories. To do this all you need to do is add the folder path, relative to where your .htaccess file is.
So for example, if I wanted to stop people viewing the plugins and themes folder in this blog I would add this to my root .htaccess file :
IndexIgnore /wp-content/plugins/*
IndexIgnore /wp-content/themes/*
Should you be concerned about directory files being listed
Most of the time there isn’t any real harm in leaving directories open to the public but it’s probably still a good habit to protect your images, banner and video folders. At the very least it will reduce your bandwidth but it will also stop people viewing files directly outside of your main site.
For example, say you post a funny video on your site and it is bringing you a lot of traffic. If the directory the video is saved in can be viewed by everyone then the video can be viewed directly ie. people can see the non-embedded video directly which means less advertisements are being displayed to them which in turns means less money for you!
Also, goes without saying that if you have important private documents on your website then restricting them from public view is a must.
I encourage you to try this out on your site if you haven’t used this before. It’s very straight forward but should you be unsure about any of this please let me know and I’ll do my best to help 
Thanks,
Kevin
John Lessnau | November 1st, 2008 at 4:34 pm #
Yes I am amazed by the people that don’t hide their plugin directories, and yes, it is best to hide these directories from prying eyes like mine :-0.
For those Wordpress users not comfortable with the .htaccess solution. Another, almost as good hiding method is to upload a blank index.htm file to the directory you don’t want people view. By default, browsers will get the blank HTM file. Sometimes I like to put a snarky message on the index.htm file like “Nothing for you to see here, move along….”
The negative with the index.htm solution is that it only protects the folder it is in and not the child folders. So:
/wp-content/themes/ would bring up the default index page
but
/wp-content/themes/scam_google_theme/ would be viewable in all its glory.
-John
Kevin Muldoon | November 2nd, 2008 at 2:17 am #
Good comment John. Yes a default index.html file would work as well. Most php scripts put a blank index file in subdirectories so that people can’t see it. Now that I think about it, why doesn’t Wordpress do this?
Abdul | November 3rd, 2008 at 1:50 pm #
It’s like you read my mind, I really wanted to know that because I recently discovered that all of my directory browsing was enabled!
Thanks a bunch!
David Shaw | November 5th, 2008 at 11:21 am #
I always used the blank index.htm file in directories, have tried using .htaccess a few times, but always find it easier to slip in some blank indexes.
It all depends on your preference I suppose
Best internet Marketing | December 31st, 2008 at 5:36 pm #
More good advice, but I am way ahead of you here. I pay too much attention to the details that’s why it takes me 3 days to setup wordpress.
malcom | May 30th, 2009 at 9:33 pm #
Very good article just what i was looking for. I’m very lazy by not learning more on .htaccess and didn’t know i could do this.
Thanks a lot, Malcom
Mark Freeman | March 21st, 2010 at 2:22 am #
Hey, thanks for the advice … i was leaving some places that should be locked wide open … fixed now