Last Updated on April 20, 2020

see youDid you know that by default, the WordPress plugins folder is perfectly visible to anybody with an internet connection?

I don’t know what could be the use of such an information, but who am I to judge? I’m not a hacker after all.

Try to type in your browser http://www.yourdomain.com/wp-content/plugins and tell me what you think.

There are at least two ways of preventing this:

1. Create an empty index.html file and upload it in your plugins directory (tip sent by Pearl from Fresh-Perspectives.net, who also told me about this issue. More tips on WordPress security are available via Online Tech Tips). A very nice implementation of this solution can be seen at JohnCow.com.

2. In your ftp program, change permissions to the plugins folder from 0755 to 0750, thus denying public to be able to read your files. By doing this, curious readers will be shown your 404 page. If you use FireFTP, right-click on the folder, then select Properties, then change the figure in the next window and press OK.

Later update: following Jeff’s comment, I’d like to make an additional note: change only the permissions for the folder itself, not for its content. Otherwise, some of your plugins may not work properly anymore.

One-day-after update: one of our loyal readers, LGR, pointed to a third solution, which is by far the most elegant of all: Disable Indexes using .htaccess. Add a line to your .htaccess file: Option -Indexes, thus preventing browsing folders which don’t have an index file.

Can you guess whose plugins I’ve just seen before writing this post?