A better alternative to "Silence is golden" placeholder in WordPress

For decades, WordPress developers have followed a simple convention: place an index.php file with a // Silence is golden comment in every plugin or theme subdirectory. The goal? Prevent directory listing in case the web server allows it.

This pattern has become so widespread that it's rarely questioned. Well, maybe it’s time we do..?

# The truth about “Silence is Golden”

This convention made sense back in the early days of WordPress, when shared hosting was inconsistent, and server configurations varied wildly. Adding an empty index.php was a quick and dirty way to prevent someone from peeking inside your plugin’s folder and seeing the file structure.

But let's be real for a moment:

• Most WordPress plugins and themes are open-source. Anyone can view the code in a public SVN or GitHub repo.
• Directory listing is disabled by default on most modern hosting environments.
• The index.php files add no real value in terms of security or functionality.

So why are we still adding these ghost files?

# A better approach with 404

Rather than passively silencing access, we should actively reject and obscure it.

Here’s a small snippet you can use in place of the traditional index.php placeholder. It loads the WordPress environment and returns a proper 404 response using your theme’s 404 template:

<?php

// Load WordPress and return a 404 page intentionally.
require_once dirname(__DIR__, 3) . '/wp-load.php';

global $wp_query;

$wp_query->set_404();

status_header(404);
nocache_headers();

include get_404_template();

If you don’t want to load the full WordPress stack, you can opt for a simple version:

<?php

// Actively reject access with a 404 header.
http_response_code(404);
exit;

This simple step significantly enhances your security posture by obscuring a plugin or theme installed on your website. Many automated bots perform enumeration attacks by cycling through known plugin/theme slugs to detect what’s active on your site.

Plugins that rely on the traditional "Silence is Golden" method still return an HTTP 200 (OK) response, inadvertently confirming the plugin/theme’s presence. This makes it easier for bots to target your site using known vulnerabilities associated with that plugin or theme.