Disabling Directory Browsing and Unnecessary PHP Execution

To disable directory browsing, you need to configure your web server so it does not list the contents of directories when no index file is present. For Apache, this is typically done by removing the Indexes option from the Options directive in the relevant <Directory> block or .htaccess file, for example:

Options -Indexes

This change causes the server to return a "403 Forbidden" error instead of showing directory contents.

To disable PHP execution in specific directories (such as upload folders where PHP scripts should not run), you can use .htaccess files with the following directive:

<Files *.php>
  deny from all
</Files>

or for more modern Apache versions:

<FilesMatch "\.php$">
  Require all denied
</FilesMatch>

This prevents PHP scripts from executing in those directories, mitigating risks from uploaded malicious scripts.

Summary of steps for Apache:

1. Disable directory browsing:

   • Edit your Apache configuration file (e.g., /etc/apache2/apache2.conf) or the site’s virtual host file.
   • Locate the <Directory> block for your web root or target directory.
   • Add or modify the line to Options -Indexes.
   • Alternatively, create or edit a .htaccess file in the directory and add Options -Indexes.
   • Restart Apache to apply changes: sudo systemctl restart apache2.

2. Disable PHP execution in specific directories:

   • Create or edit a .htaccess file inside the directory where PHP execution should be disabled (e.g., /wp-content/uploads/).
   • Add the directive to deny PHP execution:

     <FilesMatch "\.php$">
       Require all denied
     </FilesMatch>
     

   • Save the file and test to ensure PHP scripts do not run there.

Additional notes:

• For IIS, directory browsing can be disabled via the <directoryBrowse> element in the configuration file or IIS Manager.
• Always backup configuration files before making changes.
• After disabling directory browsing, users accessing directories without an index file will receive a 403 Forbidden error instead of seeing directory contents.
• Disabling PHP execution in upload or cache directories is a common security best practice, especially for CMS platforms like WordPress, to reduce attack surface.

This approach helps protect sensitive files and reduces the risk of exploitation by preventing attackers from browsing directories or executing unauthorized PHP scripts.