SYSTEMS OPERATIONAL
Hosting

Directory Listing Exposed in cPanel: How to Fix It

Getwebup 6 min read

You type in your domain and instead of your homepage, you get a bare list of files and folders staring back at you — wp-content/, backup.zip, config.php.bak, all clickable. That's directory listing (also called "open directory" or "index browsing"), and it's leaking things you never meant to publish.

Symptom: A File List Instead of Your Site

You open a folder URL — say yourdomain.com/uploads/ or even the root yourdomain.com/ — and instead of a page, the browser shows something like this:

Index of /uploads
[DIR] 2025/
[DIR] 2026/
[   ] backup-old-site.zip
[   ] db-export.sql

Sometimes it's the whole site root because the homepage file went missing. Other times it's just one folder — often a backups, uploads, or cache directory nobody bothered to protect. Either way, anyone who finds the URL (or a search engine that indexes it) can browse and download whatever's sitting there.

Why It Happens

Apache and LiteSpeed both list a folder's contents by default whenever two things are true at once:

  • There's no index.html, index.php, or similar file in that folder for the server to load automatically.
  • The Options +Indexes directive is active for that directory (it usually is, unless something has explicitly turned it off).

This isn't a bug — it's how the web server has behaved for decades. It only becomes a problem when a folder that should be private (a backup directory, an export folder, an old site copy) doesn't have an index file and nobody thought to lock it down. Common triggers we see on Getwebup accounts:

  • A migration or restore left a folder like /old-site/ or /backup/ sitting in the public_html root with no index file.
  • A WordPress plugin (backup, export, or staging tools) writes files to a public folder and forgets to drop an index.php in it.
  • Someone deleted index.php by accident while cleaning up files in File Manager.
  • A new addon domain or subdomain was created and no CMS was installed in it yet, so the folder is empty except for whatever got uploaded manually.

Fix 1: Drop an Index File In (Fastest, Per-Folder)

If you just need to close one folder, the quickest fix is to add an empty index.html file to it. An empty file is enough — Apache stops listing the contents the moment it finds one.

  1. Log in to cPanel and open File Manager.
  2. Navigate to the exposed folder.
  3. Click + File, name it index.html, and create it — you can leave it blank or add a single line like <h1>403 Forbidden</h1>.

Do this for every sensitive folder you find. It's fast, but it doesn't scale — you'd need one per directory, and it won't stop someone from listing a new folder created later.

Fix 2: Turn Off Indexing Site-Wide With .htaccess

For a permanent, site-wide fix, add this to the .htaccess file in your public_html root:

Options -Indexes

That single line applies recursively to every subfolder under it, so you don't need to touch each directory individually. If your site already has a WordPress .htaccess file, add the line above the <IfModule mod_rewrite.c> block — anywhere outside the WordPress-managed section is fine, since WordPress won't overwrite it when it regenerates permalink rules.

If you get a 500 error right after saving, your host's Apache config has AllowOverride restricted for the Options directive. That's rare on shared cPanel hosting (Getwebup allows it by default), but if it happens, open a support ticket and we'll set it in the virtual host config directly.

Fix 3: Use cPanel's Index Manager (No File Editing)

If you'd rather not touch .htaccess by hand, cPanel has a dedicated tool for this:

  1. In cPanel, search for and open Index Manager (under the Advanced section).
  2. Click into the folder you want to change.
  3. Select No Indexing and save.

Index Manager just writes the same Options -Indexes line into that folder's .htaccess behind the scenes, so the result is identical to Fix 2 — it's just a GUI for people who'd rather not edit the file directly. Use it when you only need to lock down one or two specific folders (like /uploads/private/) without touching the site-wide rule.

For Genuinely Sensitive Folders, Password-Protect Instead

Turning off indexing hides the file list, but the files are still reachable if someone guesses or already has the exact filename — yourdomain.com/backups/db-export.sql would still download fine. For folders holding actual backups, database exports, or staging copies of the site, don't just hide the listing — password-protect the directory:

  1. In cPanel, open Directory Privacy.
  2. Select the folder, check Password protect this directory, and set a username and password.

Better yet, don't leave backup files inside public_html at all — store them outside the web root, or better, off-server entirely (see our guide on automated off-site VPS backups with rclone if you're on a VPS plan).

When "Fixing" This Breaks Something Else

Occasionally, disabling indexing surfaces a different problem: a folder that was relying on directory listing to work — for example, a simple photo-sharing folder someone set up on purpose so clients could browse and download images without a gallery plugin. If that's the intent, you don't want Options -Indexes there. Just make sure it's a folder you actually meant to leave open, not one that's open by accident — check what files are sitting in it before deciding.

Also double check that adding Options -Indexes to .htaccess didn't collide with an existing Options line already in the file — having two conflicting Options directives in the same context can throw a 500 error. Search the file for Options before adding a new line; if one already exists, just append -Indexes to it instead of adding a second directive.

Prevention Checklist

  • Add Options -Indexes to public_html/.htaccess on every new site as a standing rule.
  • After any migration or restore, scan for leftover folders in the web root (old-site, backup, tmp) and either delete them or lock them down.
  • Never store backup or export files inside a publicly accessible folder — use Directory Privacy or move them outside public_html.
  • Run a quick check periodically: try loading a few of your own upload and cache folder URLs directly in a browser to confirm they don't list contents.

Frequently asked questions

Will disabling directory listing break my WordPress site?

No. WordPress and virtually every CMS load through an index.php file, so Options -Indexes has no effect on normal page requests — it only stops the raw file-and-folder view from showing up when there's no index file to load.

How do I check if directory listing is exposed on my site?

Try opening common folder paths directly in a browser, like yourdomain.com/wp-content/uploads/ or yourdomain.com/backup/. If you see a plain list of files instead of a 403 error or your site's design, indexing is enabled for that folder.

Is Options -Indexes the same as blocking a folder completely?

No. It only hides the file listing — the files are still downloadable if someone knows or guesses the exact filename. For sensitive files, use Directory Privacy (password protection) or remove the files from public_html entirely.

I added Options -Indexes and now I get a 500 Internal Server Error. Why?

This usually means there's already an Options directive in that .htaccess file and the two are conflicting, or AllowOverride for Options isn't permitted at the server level. Check for an existing Options line first, and if none exists, contact support to confirm AllowOverride is enabled.

Does Index Manager in cPanel do anything different from editing .htaccess myself?

No — Index Manager is just a GUI that writes the same Options -Indexes line into the folder's .htaccess file for you. Either method produces the identical result; use whichever you're more comfortable with.

#cpanel #directory-listing #options-indexes #htaccess #website-security #file-manager

Keep reading

Chat with Support