150 views 4 min 0 Comment

Are you Leaving your WordPress Files Exposed?

/ Editor - 25 April 2018

Are you using WordPress, there may be an issue you don’t know anything about that’s affecting the security of your uploaded files. Just because you have it set up so that only people who can access have to go through an opt-in process, it doesn’t always mean that the public can’t access them.

Lets check if you have this issue.

go to your site’s upload directory.
For example,


You may see your themes and plugins, numerous folders and lots of images. Take a closer look, and you will be able to see that file you uploaded as part of your product that you are selling.

What this means that anyone with a little bit of knowledge can easily access and download any or all of your files for free.

It’s not hard.

If you test this directory URL on other WordPress sites that you knew. Some had their upload directory are hidden, but others may not.

How To Hide a WordPress Upload Directory?

There are two methods you can use.


Using Security Plugins can make it easy to restrict WordPress directory browsing so that no one can view your the uploads file.

The two plugins I Recommend are:

  • Sucuri Security Plugin
  • Wordfence Plugin


You can create a blank index.html or index.php file and then upload it to your WordPress wp-content/uploads directory. This method will successfully hide your uploads directory from the public.

Another way is to modify your .htaccess file which can be found in the root directory. This method can be a bit more complicated, but it will protect your data from nosey people or hackers.

Hide Wp-config.php

The Wp-config.php file stores information about your WordPress database & site. You don’t want anyone getting that information. This file can be hidden by modifying the .htaccess file in the root directory

Add the following to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all

Hide .htaccess

You will also want to protect the .htaccess file if.

Add the following to your .htaccess file:

<files ~ “^.*.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all

You can find the .htaccess file using FTP and edited with a text editor app, but you can also see it in cPanel. Log in and go into your file management and allow display of hidden files. It should be in the root directory of your server.


if you choose option 1. You can use this file manager to upload the blank index.php to your wp-content/uploads directory.

I hope this has helped you make your WordPress site more secure. Is there any security issue you would like to know more about or If you have any questions, please feel free to leave us a comment.

This post was originally posted on MPH Creative Blog as a guest post by myself

Editor - Published posts: 41

Editor | Loves Scientific Marketing | Hates Bad Marketing |