There are scripts within WordPress that are not intended to be accessed by most users. To prevent such access we can block these scripts by using “mod_rewrite” via our servers’ .htaccess file.
Securing wp-includes #
Access your website server parent directory and add the following code to your .htaccess file. Be sure to insert this code outside of the “# BEGIN WordPress” and “# END WordPress” tags. Otherwise they might be overwritten upon an update.
# Block Include-Only File Access <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
Code Explanation #
LINE 1: Checks whether module mod_rewrite.c is available.
LINE 2: Activates Apache’s rewrite module, if not already activated. Can be omitted if it has been previously turned on but won’t hurt to keep it in place.
LINE 3: Defines the root directory as the directory where the rules should be rewritten.
LINE 4: Using the [F] flag, at the end of the rule, causes the server to return a 403 Forbidden status code to the client. When using [F], an [L] is implied which returns the response immediately and no other rules are evaluated. Thus this line of code blocks access to the “wp-admin/includes” directory and not the entire wp-admin directory.
LINE 5: The [ ! ] exclamation point at the beginning of this line signifies NOT. So, if we are NOT in the wp-includes folder. The [S] flag is used to skip rules. The syntax of the skip flag is [S=N], where N signifies the number of rules to skip (provided the RewriteRule matches). Thus this line may be translated as follows, if we are not in the wp-includes folder skip the next three rules (see below).
LINE 6: RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
LINE 7: RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
LINE 8: RewriteRule ^wp-includes/theme-compat/ – [F,L]
All three lines above (if not skipped in the previous rule) would return a 403 Forbidden status code to the client browser thus blocking access to listed rule directories.
Multisite WordPress #
If your WordPress website is on “Multisite” mode you’ll need to comment out the third rule (LINE 6):
RewriteRule ^wp-includes/[^/}+\.php$ - [F,L]
Comment out the rule by adding a pound sign ( # ) to the beginning of the line. Otherwise this will prevent ms-files.php (which resides in your wp-includes folder) from executing and generating needed images. Omitting that line will allow the file to execute and function as needed but don’t provide the full protection originally intended.
When in doubt about security, ensure your plugins and WordPress core files are up to date. Consider hiring me to manage, maintain and secure your WordPress web site for you.
End of File #
I hope this article on securing your WordPress includes folder has helped provide you with greater security on your existing and future WordPress web sites.
Let me know if you found any errors within my article or if I may assist you by answering any additional questions you may have.