Do I have to have an index file in all my directories in order to stop the list of files showing on the screen?
Yes and no. That is one way to do it, another way would be to use .htaccess to return a 403 access denied warning. I’m not too fond of messing with .htaccess unless absolutely necessary. What I do is put up an index.html page that says “WARNING! INTRUDER ALERT!” and has a really creepy pair of shifty red eyes. You could also have an index.php file redirect back to your main page.
It’s good design form to have an index page in any directory you have other pages in. To disable directory content listings in your image (or whatever) directories, add the following line to an .htaccess file in the root directory of your site:
The advantage to using .htaccess is that it’s instantly site-wide, you don’t have to remember to copy that clever “get out” page to every directory in your site. For example…
[link removed at site owner’s request]
Ok Thank you both for the info. Now what you just knew was gonna happen … what is .htaccess? and what is index.php??
Would you mind removing that link? No hard feelings, by if I wanted to post an example from my own site, I would have. You are free to post an example from your site.
For the index.php file, Just create a file with only the following line and place it in the directory you want to deny access to:
This will redirect anyone who attempts to access the directory back to your main site.
I see you already put a redirect in place, but I went ahead and removed the link. It illustrated my point very well though, thank you.
To the original poster, to use the method I recommended, create a single file named “.htaccess” (no quotes, but note the leading dot) with the single line I posted above. See the DH kbase for help if you have trouble creating or uploading this file.
Ok I made a file in notepad called .htaccess (removed the .txt from the end of file) then I FTP’d it to the directory I don’t want the files to list and no change was noticed.
Is there a difference to the .htaccess and the index.php method?
This method appears to work what (if any) is the difference between this method and the .htaccess one?
Thank you both of you for the help!
What happened? The directory contents are still showing? Post the URL so we can see what’s going on, as well as the contents of your .htaccess file. Remember, .htaccess, all lower case, leading dot, no extension. It may be reported as a “hidden file” in your FTP client. This is good.
Re: the difference between the two: The .htaccess method will send the browser a “403 Forbidden” error if there is no index page in the directory they’re trying to look at. It will apply to the directory the file is in, and any subdirectories, so if you put it in a specific directory it will affect that directory, if you put it at the root of your site, it will affect all directories. Folders with index.* pages will function normally.
The PHP method will simply redirect the user to a page of our choosing if they try to access the directory in question. Like the “get out” index page suggested above, you will need to copy this index.php file to every directory you want to deny access to.
These explanations are a bit simplified, but they get the point accross.
The better question might be, why does DH allow directory listings by default? I think most people wouldn’t want them enabled (assuming they’re even aware of their options (no pun intended)). A better approach might be to disable them in the main server config and allow people to enable them on a per-directory or per-site basis.
Ok I re-did the .htaccess file and now it looks like it works! Thank you! Though I must admit I like the index.php feature that lets you re-direct to the home page … but then again I also like the .htaccess feature of only having to upload it once to the root. Can these features be combined?
Yes I AGREE DH should change the default setting to not list directories … who DOES what that showing!!!
Oh BTW - why is it “good” that the FTP shows it as a hidden file? It was hidden but I selected my FTP option to show hidden files
As a matter of fact, you can combine the two. I was going to mention it before, but decided to keep to the basics.
Step 1: Create the PHP file mentioned above. It doesn’t matter where the file is located, put it somewhere that makes sense with your site layout and give it a descriptive name (eg, forbidden.php). You can put it in your root directory, but I tend to put supporting files (ie, non-content-related) into a specific place. But it doesn’t matter.
Step 2: Leave that first line in .htaccess and add another one below it reading:
ErrorDocument 403 /path/to/forbidden.php
So if you put that PHP file in the root directory, the path would be /forbidden.php. If it’s in a directory called “stuff”, it would be /stuff/forbidden.php. And so on.
Step 3: That’s it, there is no step three.
The result will be that the web server will return an error to anyone looking in these directories, and serve up the custom error page specified in the ErrorDocument line. Because the specified error document is the PHP redirect script, they will be redirected back to your front page. This will work for any directory without an index file.
I used “good” as opposed to bad. “Correct” might have been a better word. On Unix systems, files beginning with a dot are hidden.
does that work if you’re running php as cgi (the now default setting)?
Just took a quick look in the kbase and found nothing but I have it in my head that this is true…
It should work just fine. I’m having no troubles.
Great I’ll give that a shot (the combo thing)
Thanks for the help!!