WordPress – prevent access to php files in wp-includes

Most wordpress php files are in directory wp-includes in wordpress root directory. This can be used by hackers to try to access these directly. This may lead to unnecessary errors in apache error log file also.

In case you are using WordPress with Apache, you can use the following configuration in apache conf file to prevent access to these php files.

RewriteEngine on
RewriteRule ^/wp-includes/[^/]*\.php$   - [L,R=403]

Or alternatively you can add the following to .htaccess

RewriteEngine on
RewriteRule ^wp-includes/[^/]*\.php$   - [R=403,L]

Now try to access url /wp-includes/class-wp.php. You should be able to see the following access denied page.

Share this article: share on Google+ share on facebook share on linkedin tweet this submit to reddit


Click here to write/view comments