Wordpress Security: Restrict wp-content and wp-includes on wordpress using htaccess

by Aky Joe on February 16, 2010


Today, blogging is really a keen medium of knowledge sharing, which is a boon to globalization. But Wordpress Blogs have been really vulnerable for its resources. Blogs have too many loop holes in terms of the security, like directory listing, especially in a hosted environment.

There are a lot of plugins developed everyday, so as to harden the wordpress blog security. Since, plugins are itself installed on wordpress so that practice will not be effective. While on the other hand, configuring the htaccess file, which is found in the root or any other directory, lowers the vulnerability. It prevents many attacks including brute force attacks, directory listings, disclosure of sensitive information etc. on a website.

htaccess method is a bit complex method, hence improper usage and coding may break some third party plugins or theme templates. But, it is not that complex, a bit of guidance will significantly increase the security, for your blog or website.

Note: Before attempting any changes, kindly back-up your Wordpress Files and Database, for quick restoration.

Below is Code to restrict access to wp-content and wp-includes directories.

   1: Order Allow,Deny

   2: Deny from all

   3: <Files ~ ".(css|jpe?g|png|gif|js)$">

   4:  Allow from all

   5: </Files>

Above code states, to deny access to directories and files except for images (jpg,gif,png), stylesheets (css) and javascripts (js), so that browser can fetch resources at the client side.

Put the above code snippet into your .htaccess file within the wp-content and wp-includes directories and save it.

And we are done, as we restricted the access to wp-content and wp-includes directories by configuring the .htaccess files individually under both directories.

For any queries or further assistance required, post comment as your feedback.

Tagged as: , , , , ,

Related posts:

  1. Wordpress Security: Disable directory browsing using htaccess on Apache Web Server
  2. How to Password Protect Web Directories using htaccess ?
  3. Wordpress Problem wp-includes/pluggable.php on line 865 [Solved]
  4. Wordpress Security Tip : Avoid Using admin as username
  5. Improve Performance by Image Caching of Wordpress Blog using htaccess trick
Wpfreelancer

Article by Aky Joe

Aky Joe has written 34 articles .

If you like this post, you can follow ThemePremium on Twitter.

Subscribe to ThemePremium feed via RSS to receive instant updates.

{ 11 comments… read them below or add one }

TechOfWeb February 16, 2010 at 10:04 pm

changing code to htaccess file can be sometimes tricky. It sud be used with caution

Atul

Reply

Aky Joe February 18, 2010 at 3:43 pm

I appreciate your concern towards the complexity of .htaccess file.

.htaccess stands for Hypertext Access file, hence, any mismatch of code or keyword will cause erroneous exceptions to rule over. So, for a novice user, I’ll suggest to backup a copy of htaccess as well as wordpress database.

Reply

Lee | Money4Invest February 17, 2010 at 9:21 am

I’m interested with this topic as I want to secure my Wp-content and Wp-includes on wordpress. I already have .htaccess file in the public_html folder. Should I create another 2 .htaccess files to be included in wp-content and wp-includes?

Reply

Aky Joe February 18, 2010 at 4:36 pm

I appreciate your feedback for the assistance required.

Well, yes as I mentioned above in the article, we will have to create .htaccess files for as many different directories we need to protect. For instance, if you have 20 directories to protect, create 20 .htaccess files and located them separately in each directory, with 1:1 ratio. :)

Reply

TechOfWeb February 19, 2010 at 1:16 am

create 20 htaccess files for preserving 20 folders. are you conform on this. I think a single htaccess is ok for a single web project

Atul

Reply

Aky Joe February 19, 2010 at 4:09 pm

There isn’t a need to have so many passwords when one master password can fulfil the need, but still we bear to have different passwords for different accounts, as per our need and reliability. So, I don’t think there is a need to create 20 .htaccess files, when one can do the trick. :)

But, since wp-includes and wp-content might contain different resources for a blog to open, hence the need of creating two .htaccess file comes into role, so as to restrict the directories with there own directives.

Reply

pos monitoring March 1, 2010 at 6:26 am

i heard that it makes the files automatically? not sure if that’s true though

Reply

Aky Joe March 3, 2010 at 12:38 pm

Well, basically Wordpress creates a .htaccess file by default, but it doesn’t configure it for tough security level. So you have take manual action in order to secure your content or sub directories.

Reply

Okoth April 12, 2010 at 10:34 am

Your method will definitely make sure you cannot use the Visual editor anymore :)

Do you have a real solution to restrict access to wp-content and wp-includes AND that I can use ALL functions of Wordpress?

Reply

Airbilder May 17, 2010 at 1:12 am

Good method, thanks!

Reply

Cruz3N May 23, 2010 at 10:20 pm

Nice trick Bro but i want to tell you, wordpress have some fatal error if we execute some files directly… For example:

yoursite.com/wp-settings.php
yoursite.com/wp-admin/admin-functions.php

And this is the lists that i already post on my blog
http://cruzenaldo.com/list-of-fatal-error-in-wordpress-292/

And to prevent that you can use some techniques with htaccess… Like

<files wp-settings.php>
order allow,deny
deny from all
</files>

or

<FilesMatch "\.(php)$">
Order Allow,Deny
Deny from all
</FilesMatch>

Thanks :D

Reply

Leave a Comment

Previous post:

Next post:

.