Even if you don’t link to individual pages and folders, that doesn’t mean those aren’t accessible for public. Unless you have already taken changes in your WordPress installation, all the architecture of your WP website will be the same as others. That means that if you can access Uploads folder from http://yourdomain.com/wp-content/uploads/ you can probably access it on your WordPress site as well.
While this won’t do any harm for many, it’s definitely not recommended to leave your site open to attacks.
You might explore your own website by entering the link mentioned above where you can find your entire upload folder opened from browsing. You can easily navigate through folders and see all the files you have uploaded.
Not only your files are located in this folder, but it can contain files that your users uploaded for different reasons. As another example, a customer of ours had a contact form on Permatex theme which allowed users to upload files which would be then attached to a message. By default, those files would be uploaded to wp-content/uploads and, again, accessible to anyone who opens the link. And we’re sure you don’t want that.
That’s why we’re about to show you how to easily hide a certain folder from being accessible to the public. You will need to modify your .htaccess file just a little bit, everything will be done in a few minutes and won’t hurt, we promise.
Let’s hide “Uploads” folder from the public:
- Open your FTP client
- Navigate to wp-content/uploads
- Create a new file and name it “.htaccess” and open it
- Copy and paste the following code in the file:
- Save changes
- Navigate to http://yourdomain.com/wp-content/uploads/ where you should now get 404 error or a blank page which doesn’t show the content of your upload folder
Order Allow,Deny Deny from all Allow from all
In this example, we have shown you how to hide the content of Upload folder. But that doesn’t mean you can only hide that one. If you do the same for any other folder of your WP installation, the result will be the same.
Before you go through each and every subfolder, you should know that the code above will work for a folder in which you had created .htaccess files and also for every subfolder. So, instead of creating the file in wp-content/uploads and make the rule for that one folder only, you can create the same file in the wp-content folder which will hide entire wp-content including subfolders like wp-content/uploads, wp-content/themes, wp-content/plugins and any other found under it.
If you want to make sure that your site is safe, we suggest running multiple security tests with Security Ninja plugin.