>Edit system files
We achieve this by blocking those scripts using mod_rewrite in the .htaccess file.
Place the following code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file, otherwise it may be overwritten by WordPress which can overwrite anything between these tags.
<em># Block the include-only files.
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
This will not work well on Multisite because <em>RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]</em> will prevent the ms-files.php file from generating images.
Removing this line will allow the security measure to work but offers less security.