Security Mecca

Stop showing all the files in your directories and folders

Posted in Articles, Coders on


Come on, admit it. If you have a website, you have probably caught yourself throwing files in a directory somewhere on your server. It's a great way to make a quick backup, but do you really want anybody having access to your files? Not only are these files available to anybody on the web, but most servers will actually try to be "helpful" and list all of these files in your backup directory on a nice little index page with clickable links to all of them. Not exactly a secure backup, is it?

So what is the best way to fix this? First of all, you should place your backup files outside of your document root directory. Most webservers are set up like this:


Of course, your server may be different, but only files in the public_html directory are able to be accessed through the web. For example, if you place test.html in your public_html directory, the URL will then be However, if you place your backups in your main /home/username directory, they cannot be accessed with a URL which will greatly enhance security.  Be aware there is a possibility that other users on a shared host could still see these files if your host does not correctly configure the server. A good way to check is to go to the /home directory. If you can see other usernames or their files, then everybody else can see your "hidden" files as well, and it's definitely time to find a better host!

But what if you have some public files that you want to be able to access through a URL, yet you do not want people being nosy and going through them? If you are using the Apache web server, then stopping nosy visitors is as easy as disabling directory indexing. To do this, either create or modify your .htaccess file in your public_html directory. (This file is an Apache configuration file.) Once you have the file open, just add this single line somewhere in the file:

Options -Indexes

This will stop Apache from listing all the files in all directories. Again, this will not protect private files, but instead is more of a privacy measure to keep people from looking through all of your pictures in your images/ directory.

But what if you are not using Apache and on another web server type like Microsoft's IIS (Internet Information Services)? Or what if your host blocks you from editing .htaccess files? If this is the case, just create an empty text file, rename it to index.html, and then upload it to the directory you want to stop showing all the files. Most servers will automatically load an index.html file when a directory is requested by the browser, and since it is completely blank, the user will get a blank screen and thus effectively stopped from browsing the directory.

Disabling directory browsing will definitely help improve the security and privacy on your web site. This tip will help slow down hackers from probing and seeing what files are on your site. Of course, you should make sure all your software programs are patched and up to date, but this will help maintain an additional layer of privacy.

Until next time....


about the author

More about Jeremy Conley:
Jeremy Conley Jeremy is a student at Western Michigan University where he is dual majoring in Electronic Business Design and Film & Video Studies. When not programming or researching design and security topics, Jeremy enjoys movies and photography and drinking coffee in all the amazing local Kalamazoo coffee shops.

questions or comments?

If you have any questions or comments about this article, feel free to contact us!

talk back! questions/comments, and feedback. keep it polite, please