Wp-includes .htaccess problem

by 5 replies
7
I just built a new Wordpress site, and added a theme, a few plugins and created one post. Then I added some things to my .htaccess file in the wp root directory to protect certain files, as I usually do. Then I cleared cookies, etc., and tested my site to see if the files that should be protected by the .htaccess were being protected.

Well, everything checked out fine except for the wp-includes files. When I go to mywebsiteurl/wp-includes/, lo and behold, there are all the files listed for any one to see. What am I missing? I have used the exact same code for my other sites, and I have never had this problem before. Below is the code I have in the .htaccess file (outside the Wordpress tags):

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Edit: I am not using any plugins that write to the .htaccess, it is all manually added except for the part that WP writes re the permalinks.
#programming #htaccess #problem #wpincludes
  • Why don't you simply add an empty index.php file inside the wp-includes folder?

    This way, when someone will try to go to www.example.com/wp-includes, he will see a blank page.
    • [1] reply
    • Thanks! That worked. I don't know why I didn't think of that.
      • [1] reply
  • You can Disable unauthorized directory browsing by adding the following to your .htaccess
    Options All -Indexes

    Here are some nice snippets to Harden your website’s Security using .htaccess: .htaccess rules to Harden your website
    • [ 2 ] Thanks
    • [1] reply
    • I forgot to mention in my first post above that I already did that, in addition to the other code I added. It did not work - it should have, but it didn't.

Next Topics on Trending Feed

  • 7

    I just built a new Wordpress site, and added a theme, a few plugins and created one post. Then I added some things to my .htaccess file in the wp root directory to protect certain files, as I usually do. Then I cleared cookies, etc., and tested my site to see if the files that should be protected by the .htaccess were being protected. Well, everything checked out fine except for the wp-includes files. When I go to mywebsiteurl/wp-includes/, lo and behold, there are all the files listed for any one to see. What am I missing? I have used the exact same code for my other sites, and I have never had this problem before. Below is the code I have in the .htaccess file (outside the Wordpress tags):