7 {{ upvoteCount | shortNum }}
7 {{ upvoteCount | shortNum }}

Wp-includes .htaccess problem

by sprucehill
5 replies
I just built a new Wordpress site, and added a theme, a few plugins and created one post. Then I added some things to my .htaccess file in the wp root directory to protect certain files, as I usually do. Then I cleared cookies, etc., and tested my site to see if the files that should be protected by the .htaccess were being protected.

Well, everything checked out fine except for the wp-includes files. When I go to mywebsiteurl/wp-includes/, lo and behold, there are all the files listed for any one to see. What am I missing? I have used the exact same code for my other sites, and I have never had this problem before. Below is the code I have in the .htaccess file (outside the Wordpress tags):

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Edit: I am not using any plugins that write to the .htaccess, it is all manually added except for the part that WP writes re the permalinks.
#htaccess #problem #wpincludes
  • Profile picture of the author Zenoth
    Why don't you simply add an empty index.php file inside the wp-includes folder?

    This way, when someone will try to go to www.example.com/wp-includes, he will see a blank page.
    {{ DiscussionBoard.errors[9910397].message }}
    • Profile picture of the author sprucehill
      Originally Posted by Zenoth View Post

      Why don't you simply add an empty index.php file inside the wp-includes folder?

      This way, when someone will try to go to www.example.com/wp-includes, he will see a blank page.
      Thanks! That worked. I don't know why I didn't think of that.
      {{ DiscussionBoard.errors[9911057].message }}
      • Profile picture of the author Zenoth
        Originally Posted by sprucehill View Post

        Thanks! That worked. I don't know why I didn't think of that.
        You're welcome .
        {{ DiscussionBoard.errors[9911438].message }}
  • Profile picture of the author nimonogi
    You can Disable unauthorized directory browsing by adding the following to your .htaccess
    Options All -Indexes

    Here are some nice snippets to Harden your website’s Security using .htaccess: .htaccess rules to Harden your website
    {{ DiscussionBoard.errors[9919825].message }}
    • Profile picture of the author sprucehill
      Originally Posted by nimonogi View Post

      You can Disable unauthorized directory browsing by adding the following to your .htaccess
      Options All -Indexes
      I forgot to mention in my first post above that I already did that, in addition to the other code I added. It did not work - it should have, but it didn't.
      {{ DiscussionBoard.errors[9923783].message }}

Trending Topics