What is Information Disclosure?

Information Disclosure occurs when a website unintentionally reveals sensitive data to users who should not have access to it. In WordPress, this often manifests as Directory Indexing. If a web server is misconfigured, requesting a directory path that lacks an index.php or index.html file will prompt the server to display a complete list of all files inside that folder, exposing code and structures to the public.

How Attackers Exploit Directory Listing

When directory indexing is enabled, attackers can easily browse your /wp-content/uploads/ or /wp-content/plugins/ directories. This allows them to identify exactly which third-party plugins and themes you have installed, along with their precise version numbers. Armed with this inventory, malicious actors can cross-reference your assets against public vulnerability databases (like CVE) to find unpatched flaws, transforming a minor config bug into a total site breach.

Disabling Directory Browsing

Preventing information disclosure requires tightening your server configuration and folder rules:

  • Disable Server Indexing: For Apache servers, add the directive Options -Indexes to your root .htaccess file. For Nginx servers, ensure that the autoindex directive is set to off within your configuration block.

  • Use Dummy Index Files: Place an empty index.php file containing <?php // Silence is golden. inside your custom plugin and theme directories. WordPress does this by default, but custom extensions often omit them.

  • Restrict Sensitive Files: Use server rules to explicitly block access to critical system files like wp-config.php, .htaccess, readme.html, and license.txt, which reveal core version data.