Hello, at https://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin I read that: "common attacks against a WordPress blog usually fall into" So i wanted to ask if i can prevent this attack by forbidding anyone to visit page in wp-content or wp-includes folders and subfolders? If yes, then which .htaccess rule can prevent calling these folders files directly, but allows including them on normal pages like http://mysite.com/article-name
There are some plugins that can do this task for you. I installed Sucuri Security plugin and there is an option "Restrict wp-content access" Looking at the .htaccess file from /wp-content/ it looks like <FilesMatch "\.(?i:php)$"> <IfModule !mod_authz_core.c> Order allow,deny Deny from all </IfModule> <IfModule mod_authz_core.c> Require all denied </IfModule> </FilesMatch> Code (markup):
i think i used similar code in wp-content .htaccess like: <FilesMatch *.php> deny from all </FilesMatch> Code (markup): (untested now) but it can not be used in wp-includes as it would break main functions of wordpress, so im looking for alternative. On https://codex.wordpress.org/Hardening_WordPress#Securing_wp-includes they are mentioning some htaccess rule, anyone can confirm it will do what i wanted (blocking direct access to php files in wp-includes subdirs) and mainly if that is what would prevent kind of hack mentioned in my first post. Thx