One of the simplest and most overlooked methods of website security is in not protecting website files by blocking access to open web folders.  Most webmasters take security on open folders lightly.  Many think that the htaccess in public_html or the website firewall protects these.  Truth is they do not.

Unless the webmaster disallows casual folder browsing on the web server, most of the contents of each folder can be listed in a browser pointing to that Internet address. This concept is easily demonstrable by typing most any website address into the address bar of an Internet browser and simply adding a forward-slash and this folder name to the address:


If the images folder of the website navigated to is not protected, a listing of all the files in the folder will be displayed. Any of the files in the resulting display may be right-clicked on and the ‘save as’ option taken in order to save that file to a hard drive. In most cases websites will have an images folder, and this folder will not ususually be protected from casual browsing. If so, the entire contents of the images folder will be accessible to the public at large.  This is a common way weakness that allows  your images to get indexed on Google and scraped.

Other File Types

Depending upon file types, the files in an unprotected web folder may or may not be accessible; .php, .asp, and .aspx files are not accessible although .gif, .jpg, .bmp, .png, and other image files are fully accessible. Additionally, without folder protection in place, a hacker can make use of configuration files as well, such as and that could be where the websites database connection strings are held! Therefore, the database itself could become compromised.  Many can be access through various commands if not adequately protected.

There are primarily two methods of protecting web folders on an Apache Web Server:
  1. Placement of a redirect script in each individual web folder which requires protection.
  2. Making adjustments to the .htaccess file which will be applied to all website folders.

Placement of a Redirect Script:

A webmaster can follow these simple steps to add a redirect script to their web folders:

    Save the following in a file named index.php:




  • Upload the file into each web folder which needs protection. Finally,
  • Right-click on the file in your FTP program and CHMOD it to change the permissions to 755 so it will be executable.

Having done these actions the web folder will now be secured from casual browsing and its files protected.

The redirect script should be named index.php so it will execute when a user navigates to the folder it resides in. Place the file above into each folder which requires protection.

Adjusting the .htaccess File Rather Than Adding a Redirect Script:

In the root folder of the website there is a file called .htaccess. In it a line resides which reads:

Options Indexes

That text must be modified to read:

Options -Indexes

(If there is no line which reads Options Indexes then a line must be added that reads:

Options -Indexes

The new .htaccess file must then be saved and uploaded to the web server in text mode. Folder browsing on the website will then be disabled. If there is no .htaccess file found in the root folder, a simple text file must be created and saved. The file must be named .htaccess and the following lines must be added to it:

<Files .htaccess>

order allow,deny

deny from all


Options -Indexes

The additional lines protect the .htaccess file itself from being viewed.


Prevent Files from being accessed unless included locally:

if (strtolower(__FILE__) == strtolower($_SERVER['SCRIPT_FILENAME'])) die('Direct access not permitted.');    

Final option that should be executed is protect any log files from being read remotely.

Set your log files so  you have to log into your cPanel to read them.  Do not allow log files to be indexed or accessed via bots.  You should set all your logs outside your webspace root for additional protection.

Now saying this, set error_reporting(0); at the top of each php page on your website to ensure that error reporting is turned off if your website is in live production mode.  Only allow error reporting during development stages only.