1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

How to prevent direct http requests into folder, but allow incuding folder files?

Discussion in 'Apache' started by postcd, Sep 20, 2016.

  1. #1
    Hello, at https://codex.wordpress.org/Hardening_WordPress#Securing_wp-admin

    I read that: "common attacks against a WordPress blog usually fall into"
    So i wanted to ask if i can prevent this attack by forbidding anyone to visit page in wp-content or wp-includes folders and subfolders?
    SEMrush
    If yes, then which .htaccess rule can prevent calling these folders files directly, but allows including them on normal pages like http://mysite.com/article-name
     
    postcd, Sep 20, 2016 IP
    SEMrush
  2. pavv

    pavv Active Member

    Messages:
    258
    Likes Received:
    6
    Best Answers:
    1
    Trophy Points:
    70
    #2
    There are some plugins that can do this task for you.
    I installed Sucuri Security plugin and there is an option "Restrict wp-content access"
    Looking at the .htaccess file from /wp-content/ it looks like

    <FilesMatch "\.(?i:php)$">
      <IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from all
      </IfModule>
      <IfModule mod_authz_core.c>
        Require all denied
      </IfModule>
    </FilesMatch>
    Code (markup):
     
    pavv, Sep 20, 2016 IP
  3. postcd

    postcd Well-Known Member

    Messages:
    1,005
    Likes Received:
    8
    Best Answers:
    1
    Trophy Points:
    190
    #3
    i think i used similar code in wp-content .htaccess
    like:
    <FilesMatch *.php>
    deny from all
    </FilesMatch>
    Code (markup):
    (untested now)

    but it can not be used in wp-includes as it would break main functions of wordpress, so im looking for alternative.
    On https://codex.wordpress.org/Hardening_WordPress#Securing_wp-includes they are mentioning some htaccess rule, anyone can confirm it will do what i wanted (blocking direct access to php files in wp-includes subdirs) and mainly if that is what would prevent kind of hack mentioned in my first post. Thx
     
    postcd, Sep 20, 2016 IP