If you manage a website using cPanel, securing your files should be a top priority. One common but often overlooked security risk is directory listing—a feature that can expose your website’s files to anyone who knows where to look.
In this guide, you’ll learn what directory listing is, why it’s risky, and how to disable directory listing in cPanel to protect your website.
What Is Directory Listing?
Directory listing (also known as directory browsing) occurs when a web server displays the contents of a folder when there is no index file (like index.php or index.html) present.
For example, instead of showing a webpage, visitors might see a list of files like:
- Images
- Backups
- Configuration files
- Scripts
This can unintentionally reveal sensitive information about your website.
Why You Should Disable Directory Listing
Leaving directory listing enabled can create serious security risks:
- Exposes sensitive files (backups, configs, logs)
- Makes it easier for hackers to find vulnerabilities
- Reveals your website structure
- Increases risk of exploitation
Disabling it is a simple yet effective way to improve your website security.
Method 1: Disable Directory Listing via cPanel (Recommended)
Most hosting providers offer a built-in option in cPanel.
Steps:
- Log in to your cPanel account
- Scroll to the Advanced section
- Click on Indexes
- Select the directory you want to protect (usually
public_html) - Choose No Indexing
- Click Save
✅ This will prevent visitors from viewing directory contents.
Method 2: Disable Directory Listing Using .htaccess
You can also disable directory listing manually using the .htaccess file.
Steps:
- Open File Manager in cPanel
- Navigate to your website root folder (e.g.,
public_html) - Locate or create a
.htaccessfile - Add the following line:
Options -Indexes
- Save the file
👉 This directive tells the server to block directory browsing.
Method 3: Add an Index File
Another simple method is to add a default index file:
index.htmlindex.php
Even a blank file will prevent directory listing from being displayed.
How to Check If Directory Listing Is Disabled
To verify:
- Open your browser
- Visit a directory without an index file (e.g.,
yourdomain.com/uploads/)
Expected Result:
- ❌ Directory listing disabled → You’ll see a 403 Forbidden error
- ⚠️ Directory listing enabled → You’ll see a list of files
Best Practices for Website Security
Disabling directory listing is just one step. For better protection:
- Keep your CMS, plugins, and themes updated
- Use strong passwords
- Enable SSL (HTTPS)
- Regularly back up your website
- Restrict access to sensitive directories
Common Mistakes to Avoid
- ❌ Forgetting to apply settings to subdirectories
- ❌ Overwriting
.htaccessaccidentally - ❌ Assuming hosting disables it by default
Always double-check your configuration.
Final Thoughts
Disabling directory listing in cPanel is a quick and effective way to protect your website from unnecessary exposure. Whether you use the built-in Indexes tool or edit the .htaccess file, taking this step can significantly improve your site’s security.
If you’re serious about website protection, this should be one of the first security measures you implement.