- 1
Disable it in .htaccess (Apache)
Add this line to your site's root .htaccess file:
Options -Indexes - 2
Disable it in Nginx
Nginx doesn't list directories by default, but if autoindex was turned on, disable it:
autoindex off; - 3
Add index files as a backup
WordPress ships empty index.php files in its folders for this reason. Make sure they exist in custom upload directories too.
Is your site affected?
Run a free external scan — 36 checks, no login or plugin required.
More fix guides
How to Fix Cross-Site Scripting (XSS) in WordPress
Sanitize input, escape output, patch vulnerable plugins, and add a Content-Security-Policy.
How to Fix SQL Injection in WordPress
Patch vulnerable plugins and use $wpdb->prepare() for every query with user input.
How to Disable XML-RPC in WordPress
Block xmlrpc.php unless you need it — it enables brute-force amplification and pingback DDoS.
How to Add Security Headers to WordPress
Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.