What is directory listing?
Directory listing is a function of web servers that lists all of the content in a directory. This happens when the web server is configured to show directory listings and there is no index file in that directory, such as index.php or index.html.
Directory listing can also be found through vulnerability scanners when there is a misconfiguration or through historical data if the setting was enabled in the past.
How do directory listings work?
Whenever a website visitor requests a webpage, the web server looks for the index file, which it then serves to the visitor. The index file is processed by the browser, displaying the webpage that the visitor asked for.
If the webserver is unable to locate the index file, and the directory listing is switched on, it will instead serve a listing of all of the files and folders in that directory.
Why are directory listings dangerous?
When a web server lists the contents of a directory, it does not discriminate between different files and folders. Everything that is in the directory will be listed, including any leftover and unreferenced files that might be there.
Leftover and unreferenced files may contain all sorts of sensitive information such as backups, passwords, and other information you might not necessarily want to disclose to the general public. This can lead to information disclosure – unintentionally leaking sensitive information.
An attacker might use this information against you – either to gain access to the system or ask for payment to not disclose the information. Information disclosure may also see you break privacy and other such rules and regulations as
How to protect your WordPress website from directory listings
Directory listings can be turned off from the webserver configuration. While this is more than likely turned off if you have a hosting plan, the exact procedure varies depending on the type of web server being used.
Administrators should also ensure that the right WordPress files permissions are set and that no files that could lead to information disclosure are left on the webserver.