Skip to main content

Fix Guides

How to Fix Open Directory Listings

Stop the server from publishing a browsable file index.

Quick fix

To fix open directory listings, disable directory indexes on your web server (Options -Indexes on Apache, autoindex off on Nginx) and add a default index file (index.html or index.php) to every directory that must exist. Remove or protect sensitive folders like /backup/. Re-scan to confirm.

When directory listing is enabled, visiting a folder URL without an index file shows a browsable list of every file inside — backups, configs, uploads. Attackers use this to discover sensitive files. Disabling indexes and cleaning up exposed folders fixes the finding.

Check your website

See how your site handles how to fix open directory listings — free, no account needed.

Business impact

Directory listing turns obscure filenames into a clickable menu for attackers. It is how backup archives, log files and private uploads get discovered without guessing paths. Disabling it is a one-line server config change with immediate security benefit.

Why this happens

The scanner flags "Backup Directory Listing" when paths like /backup/ or /backups/ return HTTP 200 with Apache/nginx directory index HTML ("Index of /", "Directory Listing"). Causes: Options +Indexes on Apache; missing index.php in a folder; or nginx autoindex on. Your site may already have Options -Indexes globally but a subdirectory or virtual host overrides it.

How to confirm the issue

Manually: visit https://yoursite.com/backup/ or any folder without an index file. A list of filenames means listing is enabled.

With Plexa Trust: look for "Backup Directory Listing" or "Backups Directory Listing". Re-scan after disabling indexes.

Step-by-step fix

  1. Identify which directories show a file listing (common: /backup/, /uploads/, /tmp/).

  2. Disable directory indexes globally in server config.

  3. Add index.php or index.html to directories that must remain accessible.

  4. Delete or move sensitive folders (backups, old exports) outside the web root.

  5. Verify subdirectories and .htaccess files do not re-enable Indexes.

  6. Re-scan to confirm listing pages are gone.

Platform-specific fixes

Apache

  1. In httpd.conf or .htaccess: Options -Indexes

  2. Per-directory override: <Directory /var/www/html> Options -Indexes </Directory>

  3. Check no subdirectory .htaccess has Options +Indexes.

Nginx

  1. In server block: autoindex off; (this is the default — verify it is not on).

  2. Ensure index index.php index.html; is set.

  3. Reload nginx after changes.

IONOS / shared hosting

  1. Add Options -Indexes to your root .htaccess.

  2. Remove empty backup folders from public_html or add an index.php that returns 403.

WordPress uploads

  1. WordPress usually adds index.php to wp-content/uploads — verify it exists.

  2. Never store backups inside wp-content/uploads or other browsable folders.

How to verify the fix

  • Disable directory listing globally — never rely on obscurity.

  • Store backups and exports outside the web root entirely.

  • Audit upload directories for index.php presence.

  • Re-scan with Plexa Trust and confirm directory listing findings clear.

Common mistakes

  • Disabling indexes globally but leaving /backup/ full of downloadable files (404 vs listing, but files may still be guessable).

  • Forgetting subdirectory .htaccess that re-enables Indexes.

  • Using directory listing as a "quick file share" for clients.

  • Only adding index.html to the root, not subfolders.

Frequently asked questions

What does directory listing look like?

A page titled "Index of /" listing filenames, sizes and dates — no styling, generated by the server.

Is Options -Indexes enough?

Usually yes on Apache. Also remove sensitive folders and add index files to directories that need to exist.

Why does /backup/ exist at all?

Often leftover from manual backups or plugin defaults. Delete it or move outside web root.

Does disabling listing hide files completely?

No — direct URLs to known filenames may still work. Listing just stops browsing. Remove sensitive files too.

What is the nginx equivalent?

autoindex off; — verify it is not explicitly enabled anywhere.

Can Cloudflare disable directory listing?

No — this is an origin server setting. Fix Apache/nginx on your host.

WordPress uploads — is listing a risk?

If index.php is missing from uploads, media filenames could be browsable. WordPress adds index.php by default — verify it is there.

How do I confirm the fix?

Visit former listing URLs — should 403/404 or show a blank/index page, not a file list. Re-scan with Plexa Trust.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring