Title: Calling WordPress Security Experts: WP-Includes question! Last modified: May 5, 2021 --- # Calling WordPress Security Experts: WP-Includes question! * [addirector](https://wordpress.org/support/users/addirector/) * (@addirector) * [5 years, 1 month ago](https://wordpress.org/support/topic/calling-wordpress-security-experts-wp-includes-question/) * Hi there, * This is more of a personal question for my own curiosity. * One of my websites appears to be vulnerable because the directory listing (/wp- includes) is enabled. It’s not difficult to fix, however I’m wondering how serious actually is this if none of the files can actually be accessed? * If I click on basically any file, including user-meta and functions.php it either returns a HTTP 500 or simply shows me a blank screen. So how would a hacker actually benefit from accessing the directory if none of the files can be accessed? Viewing 1 replies (of 1 total) * Moderator [Yui](https://wordpress.org/support/users/fierevere/) * (@fierevere) * 永子 * [5 years, 1 month ago](https://wordpress.org/support/topic/calling-wordpress-security-experts-wp-includes-question/#post-14402429) * They can always access (if web server permits direct PHP execution in those folders) those files, content of folder is known by looking inside WordPress distribution archive. * Allowed listing can be a threat when: you have plugins which may create “hidden” files, which should not be accessed by unauthorized people. Backup archives, Logs (including Payment gateway logs), if those are seen and can be downloaded– this is bad for you. Of course there should be better measures for protecting such files, but using random seed in file name and forbid directory listing is the basic one, which offer at least temporary protection for such sentitive data. * It is good to forbid listing by default and allow it only in folders where you share files for direct downloads (file archives, like [http://ftp.gnu.org/gnu/gcc/](http://ftp.gnu.org/gnu/gcc/)) - This reply was modified 5 years, 1 month ago by [Steven Stern (sterndata)](https://wordpress.org/support/users/sterndata/). Reason: fixed spelling: treat -> threat :-) Viewing 1 replies (of 1 total) The topic ‘Calling WordPress Security Experts: WP-Includes question!’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 1 reply * 2 participants * Last reply from: [Yui](https://wordpress.org/support/users/fierevere/) * Last activity: [5 years, 1 month ago](https://wordpress.org/support/topic/calling-wordpress-security-experts-wp-includes-question/#post-14402429) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics