Security message: empty index.php file sense?

In the security notes, each of my pages has the following message: “MainWP Plugin will check if it’s possible to list /wp-content/, /wp-content/plugins/, /wp-content/themes/ and /wp-content/uploads/ directories. After fixing this issue, an empty index.php file will be inserted in each directory in order to prevent listing.”

Can someone explain this to me? What exactly is the point of uploading empty index.php files there? What listing are you talking about?

Hi @wizible

Placing an empty index.php file to prevent a directory listing is not related to specifically to MainWP but WordPress in general.

When you place an empty index.php file in the directory, the web server will serve that file (which is empty, so nothing gets displayed) instead of the directory listing.

Ok thanks.
So for example if you go to you should see the content?

None of my installations show anything here, but I still get the “problem” message from mainWP.

Hi Patrick,

While a lot of hosts have directory listing prevention by default nowadays, there are still some that do not do this.

So inserting the blank index.php file is the best practice. This is pretty common in the WP world.

If you feel like you don’t need this security check on your setup, you can unhook it by using the following code snippet by placing it to the PHP section in the Custom Dashboard extension:

add_filter( 'mainwp_security_issues_stats', 'hook_mainwp_security_issues_stats', 10 );
function hook_mainwp_security_issues_stats() {
	return array(
		'listing' => 'Y'

This won’t actually disable the check, but it will remove the numbers from the Overview page.

1 Like

Ok thanks for the explanation.


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.