Official .htaccess Rules Not Working to Block wp-includes
-
In the “Hardening WordPress, there is a section of .htaccess code at the following URL:
https://www.ads-software.com/support/article/hardening-wordpress/#securing-wp-includes . The idea is to block direct access to .php files in wp-includes. Here’s the code:
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
However, this rule doesn’t match all PHP files in wp-includes. For example, it doesn’t match this URL: …/wp-includes/ID3/module.audio.ac3.php . The code only seems to block PHP files directly inside wp-includes and not within sub-directories.
To match all PHP files, we need to change line #7 to something like this:
RewriteRule ^wp-includes/.*\.php$ - [F,L]
I’m not a regex expert, so I don’t want to implement something without thinking. Just thought I’d ask the community two questions:
1. Is there any valid reason to directly access .php files in wp-includes including subdirectories?
2. Will my modified code have some side effects? I basically just want to match all PHP files either directly in wp-includes, or in its subdirectories.
I want to do this, because I’ve been getting some errors in my logs about people trying to access this file: …/wp-includes/ID3/module.audio.ac3.php , which generates a Fatal Error in my php_errorlog file.
The page I need help with: [log in to see the link]
- The topic ‘Official .htaccess Rules Not Working to Block wp-includes’ is closed to new replies.