Question About wp-includes Exclude Firewall Rules

  • Resolved joejoe04

    (@joejoe04)


    9 years, 5 months ago

    I have a question about the following rules your firewall adds to .htaccess:

    RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]

    This works fine, but I noticed there are also other directories within /wp-includes/ with PHP files in them that the above rules miss, like /wp-includes/customize/.

    RewriteRule ^wp-includes/.*\.php$ - [F,L]

    When I add the above to my .htaccess, all PHP files in those directories are forbidden if I try to browse to them, and it seems my site still functions fine (though admittedly it’s just a very basic setup with not many plugins installed).

    Are the PHP files in the other directories within /wp-includes/ not able to be forbidden outside access because because they provide some function that requires access, or are they just not important to block?

    Also, given that there are plenty of other PHP files we can’t block access to, such as /wp-comments-post.php, and that even if I don’t include the rules listed above and browse to a PHP file within /wp-includes/ it doesn’t seem as though any confidential information is revealed, is it even really worth using the rules above to block the PHP files within /wp-includes/? Just trying to understand whether I should take the rules above and go even further or not really worry too much about this.

    Thanks!

Viewing 7 replies - 1 through 7 (of 7 total)
  • Plugin Author AITpro

    (@aitpro)

    9 years, 5 months ago

    The particular block of htaccess code comes from the WordPress “Hardening WordPress” forum topic here: https://codex.ww.wp.xz.cn/Hardening_WordPress#WP-Includes.
    Since this htaccess code was created by WordPress then I assume they have created that code so that it would not interfere with anything that is needed to be accessed externally.

    This rule blocks all .php files in all subdirectories of the /wp-includes/ folder.
    RewriteRule ^wp-includes/[^/]+\.php$ - [F]
    I assume WP did not create a rule for .php files directly in the /wp-includes/ folder for a good reason. So you probably do not want to block .php files directly in the /wp-includes/ folder. In any case, these rules are only for not allowing direct Browser access to any files. All files can still be accessed internally.

    • This reply was modified 9 years, 5 months ago by AITpro.
    Thread Starter joejoe04

    (@joejoe04)

    9 years, 5 months ago

    I appreciate the response! That’s what I figured as far as my rule going too far and likely blocking some functionality that I’m just not aware of.

    I guess I’m more interested, though, in your opinion on how important rules like these are for security. I know the Hardening WP page lists this as a recommendation, but given what I ended my original post with, that many of the other core PHP files are still directly accessible via browser and that even if access is not blocked there does not seem to be any confidential or important information revealed when loaded in browser, how effective or important do you think these rules are when it comes to site security?

    If you don’t have time to get into this, I understand. I just can’t find anyone really discussing the merits of these rules; mostly just tutorials and examples of how to do it. Thanks either way.

    Plugin Author AITpro

    (@aitpro)

    9 years, 5 months ago

    To be honest with you I really don’t have any idea how effective or important that WP code is. Logically hackers are primarily going to try to get a file uploaded to your site somehow and most likely they are not going to be stopped by that code after the fact. Example: If a hacker gets a shell script uploaded to a website then they will use that shell script internally and not access any files externally besides wherever they put their backdoor login script to login with to gain full control of the hosting account folders. I doubt that a hacker would use the /wp-includes/ folder for the place to put that backdoor login script. So the /wp-includes/ htaccess code would not be effective in that scenario. As far as directly exploiting files in the /wp-includes/ folder goes I don’t believe that can be done. So that leaves only 1 practical reason for that code – prevent recon/snooping I guess?

    Thread Starter joejoe04

    (@joejoe04)

    9 years, 5 months ago

    Yep, that’s what these lines of code seemed like to me; more feel good than actual substance. I’ll still include them though b/c it won’t hurt anything. Thanks for the response, I definitely appreciate it.

    Plugin Author AITpro

    (@aitpro)

    9 years, 5 months ago

    Yep, exactly what we think about that WP code too. 😉

    Plugin Author AITpro

    (@aitpro)

    9 years, 5 months ago

    Assuming all questions have been answered – the thread has been resolved. If you have additional questions about this specific thread topic then you can post them at any time. We still receive email notifications when threads have been resolved.

    Thread Starter joejoe04

    (@joejoe04)

    9 years, 5 months ago

    Yep, thanks again

Viewing 7 replies - 1 through 7 (of 7 total)

The topic ‘Question About wp-includes Exclude Firewall Rules’ is closed to new replies.