How the hell do I secure wp-includes and wp-content

Have a look at the Ask Apache Password Protect plugin. It’ll do it for you. (and also wp-admin, wp-login.php (and logout) and optionally hotlinking and other things.)

See also: Hardening WordPress

Thanks, thats someting else I’m also going to try, anyone know if that SSL is 2.7 compatible?

…secure wp-includes and wp-content

from what?

From people looking through it, from anything it needs to be secured from…. mostly from people looking through it, plus I just laerned about Options -Indexes today. Havent gotten to try it yet, but will soon. I’m still not sure how much of a security risk it is to let people look through it, at least besides others getting to know what plugins I am using and their security risks, I guess thats another thing I am wondering as well.

Options -Indexes

will keep directories from being browsable.

and if thats all your interested in, thats all you need.

the rest of what you are doing is largely overkill.

>> I’m still not sure how much of a security risk it is to let people look through it, at least besides others getting to know what plugins I am using and their security risks

anyone with a brain doesnt need to look through wp-includes/ — they can go grab the source files.

disallowing browsing of your plugins directory is a good idea, but you can’t and shouldnt rely on that as ‘security’. LOTS of plugins advertise themselves withon your source — they load files, plugin authors leave comments identifying the plugin name, etc..

Overkill yes, but is it overkill that can make a difference?

can? sure. no-one can say no to that question, because of how its worded ??

Hmmmm thats true and you have a good point there, will it make a difference? And to make it more interesting, lets imagine that it was a possible high target site :p would it make a difference then?

hypothetically speaking — what you want to concern yourself with is that no-one can write to those directories.

Browsing files is a nuisance. having the ability to write to a directory is bad.

Lets pretend this is my site, and that I can do what I want..

1. install suphp, and adjust permissions that take advantage of it being used.
2. Make sure I have server logs that are being saved.

For what its worth, unless you have the domain hackme.com or a site thats financial in nature, or has recently posted a challenge to hackers, I dont believe in the “possible high target” theory.

Most, not all, but most exploited sites are the result of lucky script kiddies — not unmitigated and unseen deliberate attempts. Thats not to say it doesnt happen — I know it does, Ive seen it. Its just not the norm.

Thats what I was thinking, the script based attack, that is the main reason I am concerned with this. I thought that a lockdown like that would block it. But I guess all I really need is to have the right capability removed, and to do something like Options -Indexes would do what I am looking for. I just put it in the main .htaccess in the main WP directory right? The suphp logs what people send on the site, so that would also be helpful, I guess my questions are answered. I’m also looking into a Apache login password plugin, or a ssl plugin for logins. I was just looking to make it as secure as it sanely could.

For Options -Indexes, does it go into each .htaccess file of the directory I am trying to block, or does it go into the main .htaccess in the folder I have WordPress set up?

Anyone got anything? Searched Google, but all I find is Options for the menu, and tabs.

I believe if you just put Options -Indexes in the .htaccess in public_html then it will prevent any directory in public_html from being browsed…it seems to be working that way on my sites.

nemo,

…does it go into each .htaccess file of the directory I am trying to block, or does it go into the main .htaccess in the folder I have WordPress set up?

Just the top most is fine, .htaccess files are hierarchical.