• In the “Hardening WordPress, there is a section of .htaccess code at the following URL:

    https://www.ads-software.com/support/article/hardening-wordpress/#securing-wp-includes . The idea is to block direct access to .php files in wp-includes. Here’s the code:

    # Block the include-only files.
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>

    However, this rule doesn’t match all PHP files in wp-includes. For example, it doesn’t match this URL: …/wp-includes/ID3/module.audio.ac3.php . The code only seems to block PHP files directly inside wp-includes and not within sub-directories.

    To match all PHP files, we need to change line #7 to something like this:

    RewriteRule ^wp-includes/.*\.php$ - [F,L]

    I’m not a regex expert, so I don’t want to implement something without thinking. Just thought I’d ask the community two questions:

    1. Is there any valid reason to directly access .php files in wp-includes including subdirectories?

    2. Will my modified code have some side effects? I basically just want to match all PHP files either directly in wp-includes, or in its subdirectories.

    I want to do this, because I’ve been getting some errors in my logs about people trying to access this file: …/wp-includes/ID3/module.audio.ac3.php , which generates a Fatal Error in my php_errorlog file.

    • This topic was modified 4 years, 7 months ago by bhagwad.

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Samuel Wood (Otto)

    (@otto42)

    www.ads-software.com Admin

    There should be no real problem blocking those requests if you would like to do so.

    Having direct calls into wp-includes files is more of an annoyance than a security problem. None of those files really do anything if called directly.

    That said, if you are hacked in some other manner, and the files in your install are modified, then having this sort of blockade could prevent automated scripts which modify and then call those files from processing through correctly.

    Thread Starter bhagwad

    (@bhagwad)

    @otto42

    Thanks for the response! So if I change:

    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

    to

    RewriteRule ^wp-includes/.*\.php$ - [F,L]

    It should be ok? Like I said, I’m not an expert in Regex, but I think the changed rule blocks all direct requests to ANY php file in wp-includes…

    There’s an official ticket on the WordPress code discussion site regarding this very issue: https://core.trac.www.ads-software.com/ticket/49499 . In that, they recommend using the .htaccess code in https://www.ads-software.com/support/article/hardening-wordpress/#securing-wp-includes, but as I mentioned in the OP, it doesn’t work. Hence the modifications.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Official .htaccess Rules Not Working to Block wp-includes’ is closed to new replies.