WordPress Security: Restrict wp-content and wp-includes on wordpress using htaccess

wp security Wordpress Security: Restrict wp content and wp includes on wordpress using htaccess

Today, blogging is really a keen medium of knowledge sharing, which is a boon to globalization. But WordPress Blogs have been really vulnerable for its resources. Blogs have too many loop holes in terms of the security, like directory listing, especially in a hosted environment.

There are a lot of plugins developed everyday, so as to harden the wordpress blog security. Since, plugins are itself installed on wordpress so that practice will not be effective. While on the other hand, configuring the htaccess file, which is found in the root or any other directory, lowers the vulnerability. It prevents many attacks including brute force attacks, directory listings, disclosure of sensitive information etc. on a website.

htaccess method is a bit complex method, hence improper usage and coding may break some third party plugins or theme templates. But, it is not that complex, a bit of guidance will significantly increase the security, for your blog or website.

Note: Before attempting any changes, kindly back-up your WordPress Files and Database, for quick restoration.

Below is Code to restrict access to wp-content and wp-includes directories.

   1: Order Allow,Deny

   2: Deny from all

   3: <Files ~ "\.(css|jpe?g|png|gif|js)$">

   4:  Allow from all

   5: </Files>

Above code states, to deny access to directories and files except for images (jpg,gif,png), stylesheets (css) and javascripts (js), so that browser can fetch resources at the client side.

Put the above code snippet into your .htaccess file within the wp-content and wp-includes directories and save it.

And we are done, as we restricted the access to wp-content and wp-includes directories by configuring the .htaccess files individually under both directories.

For any queries or further assistance required, post comment as your feedback.

share on twitter

Comments

  1. TechOfWeb says:
    February 16, 2010 at 10:04 pm

    changing code to htaccess file can be sometimes tricky. It sud be used with caution

    Atul

  2. Lee | Money4Invest says:
    February 17, 2010 at 9:21 am

    I’m interested with this topic as I want to secure my Wp-content and Wp-includes on wordpress. I already have .htaccess file in the public_html folder. Should I create another 2 .htaccess files to be included in wp-content and wp-includes?

  3. Aky Joe says:
    February 18, 2010 at 3:43 pm

    I appreciate your concern towards the complexity of .htaccess file.

    .htaccess stands for Hypertext Access file, hence, any mismatch of code or keyword will cause erroneous exceptions to rule over. So, for a novice user, I’ll suggest to backup a copy of htaccess as well as wordpress database.

  4. Aky Joe says:
    February 18, 2010 at 4:36 pm

    I appreciate your feedback for the assistance required.

    Well, yes as I mentioned above in the article, we will have to create .htaccess files for as many different directories we need to protect. For instance, if you have 20 directories to protect, create 20 .htaccess files and located them separately in each directory, with 1:1 ratio. :)

  5. TechOfWeb says:
    February 19, 2010 at 1:16 am

    create 20 htaccess files for preserving 20 folders. are you conform on this. I think a single htaccess is ok for a single web project

    Atul

  6. Aky Joe says:
    February 19, 2010 at 4:09 pm

    There isn’t a need to have so many passwords when one master password can fulfil the need, but still we bear to have different passwords for different accounts, as per our need and reliability. So, I don’t think there is a need to create 20 .htaccess files, when one can do the trick. :)

    But, since wp-includes and wp-content might contain different resources for a blog to open, hence the need of creating two .htaccess file comes into role, so as to restrict the directories with there own directives.

  7. pos monitoring says:
    March 1, 2010 at 6:26 am

    i heard that it makes the files automatically? not sure if that’s true though

  8. Aky Joe says:
    March 3, 2010 at 12:38 pm

    Well, basically WordPress creates a .htaccess file by default, but it doesn’t configure it for tough security level. So you have take manual action in order to secure your content or sub directories.

  9. Okoth says:
    April 12, 2010 at 10:34 am

    Your method will definitely make sure you cannot use the Visual editor anymore :)

    Do you have a real solution to restrict access to wp-content and wp-includes AND that I can use ALL functions of WordPress?

  10. Airbilder says:
    May 17, 2010 at 1:12 am

    Good method, thanks!

  11. Cruz3N says:
    May 23, 2010 at 10:20 pm

    Nice trick Bro but i want to tell you, wordpress have some fatal error if we execute some files directly… For example:

    yoursite.com/wp-settings.php
    yoursite.com/wp-admin/admin-functions.php

    And this is the lists that i already post on my blog
    http://cruzenaldo.com/list-of-fatal-error-in-wordpress-292/

    And to prevent that you can use some techniques with htaccess… Like

    <files wp-settings.php>
    order allow,deny
    deny from all
    </files>

    or

    <FilesMatch "\.(php)$">
    Order Allow,Deny
    Deny from all
    </FilesMatch>

    Thanks :D

Leave a Reply

© 2009-2011 ThemePremium · All Rights Reserved
A threeroutes media Publication