This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.

Directory Index Guard


How it works

The Directory Index Guard plugin works by updating the Apache .htaccess file to include the directive Options -Indexes. It prevents you from having to edit it yourself via FTP or some other mechanism.


  • Easily turn directory indexes off with one click.
  • Scan directory structure to check for exposed directory indexes.
  • Provides a report of which directories are safe or exposed.
  • Checks to make sure protection is still enabled after the .htaccess file is edited or updated by another process.
  • Creates a backup of the existing .htaccess before modifying.
  • Checks the syntax of the .htaccess file for errors before saving.

What is a Web Server Directory Listing?

A web server directory listing, commonly called a directory index, is a list of the contents in a folder stored on your WordPress server. Similar to your local computer directory, a web server has a directory structure for storing files and folders. If directory listings are turned on, the server will show all files and subfolders contained in that directory. The files can be viewed or downloaded, and you can move into and out of subfolders like you would on your local computer.

Why is this dangerous?

Often times, backups of critical WordPress configuration files are made before making changes and then stored in a directory on the server. These backup can potentially contain your WordPress administrator or database password. The source code for plugins, themes, and administrative functions are also stored in directories on the server. None of these files are intended for public viewing. Hackers can use directory listings to download these files and create a road map of how to exploit vulnerabilities in your site. If they contain your WordPress administrator password, your entire site and all of your customer data is at risk. To make this worse, hackers can scan these files with a script, on thousands of websites at a time, and hack your site or sell the information on the dark web. Common identity theft programs may not scan for WordPress configuration passwords. Turning off directory listings is absolutely critical for the security of your site.


  • Scan showing exposed directory listings without Directory Index Guard protection.
  • Scan showing safe directory listings with Directory Index Guard protection.
  • Screenshot of what a directory index listing looks like, for an admin source code folder.


  1. Log into your site as the WordPress Administrator.
  2. Go to the Plugin Menu and click Add New.
  3. Enter “Directory Index Guard” in the search box.  It will be the first result to show up with a blue shield icon.
  4. Install and Activate the plugin.
  5. Click the Turn Protection On button.

Once activated, the plugin configuration will be under the Tools menu on the WordPress Administration page.  The configuration page will show you all directories on your server and which ones are vulnerable.   

Click the “Turn on Protection” button to apply the necessary configuration changes, after which all directories should appear safe.


There are no reviews for this plugin.

Contributors & Developers

“Directory Index Guard” is open source software. The following people have contributed to this plugin.



Version 1.2.0

  • Check if htaccess modify date has been changed since last scan.
  • Check if protection is turned on.

Version 1.1.0

  • New features and polish

Version 1.0.0

  • Stable first release