Securing wp-includes
-
Hello!
There is an article about hardening WordPress (https://ww.wp.xz.cn/support/article/hardening-wordpress/#securing-wp-includes).The article recommends adding some code to the .htaccess file outside the “# BEGIN WordPress” to secure “wp-includes”:
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPressIn the code that is automatically generated by your plugin I did not find these lines of code.
Do I have to add this code manually in the .htaccess file after the code generated by your plugin?
For example, like this:# BEGIN All In One WP Security ...some autogenerated code by your plugin # END All In One WP Security # Block the include-only files. ...manually adding the code from the article above to secure wp-includes # BEGIN WordPress ...standart wordpress code # END WordPressOr does your plugin already include securing of the “wp-includes” folder with some other equivalent way and I do not have to add the code manually?
Thank you
-
Thank you for your answer!
I think it would be nice if in the future you consider including the ability to add this secure code in plugin settings, if you think it’s necessary.For example, add a new feature with a checkbox to the “File system protection” section with explanations of the usefulness of this code and warnings that this code won’t work well on Multisite (and possibly with other warnings, if any).
Anyway, I think your plugin is great and very useful!
Thank you so much for your work!
The topic ‘Securing wp-includes’ is closed to new replies.
