Securing scripts in wp-includes

Protection Requirement:

OPTIONAL

Skills/Resources:

>Edit system files
>Text editor

THE THREAT
Potential for scripts located in the includes directory to be exploited.

THE OBJECTIVE
Restrict user access to scripts via the .htaccess file.

PROPOSED SOLUTION
This security measure offers a second layer of protection for scripts that are generally not intended to be accessed by any user.

We achieve this by blocking those scripts using mod_rewrite in the .htaccess file.

Place the following code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file, otherwise it may be overwritten by WordPress which can overwrite anything between these tags.

<em># Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule></em>

Multisite Implementation

This will not work well on Multisite because <em>RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]</em> will prevent the ms-files.php file from generating images.

Removing this line will allow the security measure to work but offers less security.

MORE ADVANCED
none

NEED HELP?
If you need help implementing this and other security measures then Virtual Webmaster Services can help. Visit Virtual Webmaster Services