How to Disable Directory Listing in Joomla?

A major vulnerability on any website – and not just Joomla websites – is to have directory listing enabled. Directory listing is a default feature in Apache and IIS (the two most common web servers used for Joomla websites) that will allow anyone to view the list of files in a certain directory if the web server can’t find a default file to run in that directory. A default file can be any of the following: index.html, index.html, index.php, default.htm, default.html, default.php, etc…

Most hosting environments have this feature turned off – but for those that don’t, then Joomla, in its default installation, addresses this problem by adding an index.html in each and every directory (try browsing to any directory on your Joomla website and you will definitely see an index.html file if there is no index.php in that directory) – which stresses the point previously mentioned in our post “20 Benefits of Using Joomla” that Joomla is secure by default. By adding this index.html file to every directory, Joomla ensures that the web server serves this file to those visitors (or should we say malicious visitors) directly accessing these directories, instead of listing what’s in the directory. (By the way, having an index.html in Joomla directories instead of an index.php to prevent directory listing was a performance-based decision. This is because an index.php file has to be intereprted by the PHP compiler before being served to the client, while a an index.html file is served “as-is” to the client, with minimal work done on the server side.)

However, we can think of many Joomla extensions that aren’t as secure as Joomla’s core – such extensions were written in the assumption that directory listing is always disabled (or maybe their developers do not care about security altogether), and thus they don’t include any default file. So, if directory listing is enabled, then Joomla websites that have these extensions installed will have major security vulnerabilities. So what can someone do to disable directory listing on his Joomla website?

Well, there are three ways to disable directory listing on a Joomla website:

Disable directory listing at the server level
Directory listing can be easily disabled at the server level by doing the following:
- If you’re running IIS: Disabling directory listing varies by IIS version, and we suggest that you check IIS’s help on how to do this (by the way, there are several ways for disabling directory listing on IIS).
- If you’re running Apache: Disabling directory listing on Apache simply consists of editing the file httpd.conf (which is Apache’s configuration file) by adding the following line:
  
  Options -Indexes
  
  By the way, make sure that you don’t have something the following line (notice that the minus sign is missing):
  
  Options Indexes
  
  elsewhere in your httpd.conf file – if you do, then you need to simply delete it.
Note that if you’re on a shared hosting environment, then you can always ask your web hosting company to do the above for you, but we doubt that they will, because they will be affecting all the websites on their server, and not only yours. If you’re on a shared hosting, then we suggest you follow one of the two methods below.
Disable directory listing at the cPanel level

If you have cPanel, then disabling directory listing can be easy by doing the following:
- Login to your cPanel account
- Scroll down to the bottom of cPanel’s homepage, and click on the Index Manager under Advanced.
- You will be prompted to choose the directory that you want to disable directory listing on, choose the directory that contains your Joomla website (such as /public_html/www). A page containing a list of directories under public_html will appear. Click on public_html on that page and then choose No Indexing and click on “Save” at the bottom.
Disable directory listing at the .htaccess level

Probably the easiest way to disable directory listing is to just edit the .htaccess file located under the root directory of your Joomla website, and then add the following line at the top of that file:

Options -Indexes

Again, make sure that you don’t have this line:

Options Indexes

elsewhere in your .htaccess file (this line will explicitly enable directory listing). In case you see this line, then you need to delete it.

If you need help in disabling directory listing on your Joomla website, or you need to review the security on your Joomla website, then why not contact us? We’re fast, we’re experts in Joomla, and we won’t charge you much!

One Response to “How to Disable Directory Listing in Joomla?”

rss

Pingback by On Storing Backups of Your Joomla Website in the Wrong Place | itoctopus — August 27, 2012 @ 10:58 pm
[…] a folder called backup, then it’s the same thing as above. However, if you don’t have directory listing disabled on your Joomla website, then one can just go to http://www.yourjoomlawebsite.com/backup and see (and of course download) […]

At itoctopus, we're here to help you with your business! That's our promise to you. Whether you're looking for urgent programming help in the middle of the night, or you need help expanding your website, or you need to claim your projects for R&D, then you're at the right place. We have served a lot of customers since 2001, and we'll be happy to serve you!

If you want to fix an urgent issue (for example, your website is down), then give us a call at 514 961 2804, this line is at your service 24/7/365!
Call Now: 514 933 8036
Just give us a call if you need help on your website, and you'll be surprised how friendly, efficient, and fast we are! Oh, and we genuinely care about your business! (International clients please call +1 514 933 8036)

How to Disable Directory Listing in Joomla?

Leave a comment