WordPress.org

Ready to get started?Download WordPress

Forums

[resolved] Deny Access To Folders (12 posts)

  1. chanel
    Member
    Posted 5 years ago #

    Is there a way to deny direct access to my WordPress plugins, themes and subfolders?

    I would like to disable access to things like my wordpress stylesheets and uploaded images when the address is typed into the address bar.

  2. figaro
    Member
    Posted 5 years ago #

    If you just want to disable browsing of those files there are several ways to do it, but a simple way (if you are using a Linux server) is to add the following line to the .htaccess file in your root directory.

    Options -indexes

  3. chanel
    Member
    Posted 5 years ago #

    Morning figaro!

    The last few lines in my .htaccess is

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    So after i add what you told me, it should look like this?

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    Options -indexes

  4. figaro
    Member
    Posted 5 years ago #

    Morning...Yes, that should work...give it a try see what happens.

  5. chanel
    Member
    Posted 5 years ago #

    I did it and it did not work.

    For example, I can still access this page:
    http://diaryofchanel.com/wp-content/themes/default/style.css

  6. figaro
    Member
    Posted 5 years ago #

    Yes, that doesn't stop someone from directly accessing a file if they know or find the file path/name...it stops them from browsing your directories if they don't know the file names.

    I'm not sure there is a way to prevent this...maybe others have some ideas.

  7. Roy
    Member
    Posted 5 years ago #

    I use the Ask Apache Password Protect plugin to put passwords to my admin and content folder, but that doesn't prevent people from viewing my stylesheet either. Never really thought about it why...

    [edit] just a thought, but only the browser 'looks at' the htaccess and the stylesheet is opened in notepad, perhaps that's why.
    In any case, I personally find it more important that people (or bots) can't just access my admin and content folders than that people can't see my stylesheet.

  8. figaro
    Member
    Posted 5 years ago #

    I think the style sheets have to be available for the site to render properly in the browser...if there is a way to protect them, I'm not aware of it.

  9. chanel
    Member
    Posted 5 years ago #

    Thanks figaro & Gangleri.

    The reason why I am looking for this is because I'm having bit of a problem with people "digging" through my wp files. It's a little bit annoying because you can spend hours tweeking a theme's css or even create your own theme for your own personal usage and anyone can pretty much take it if they knew the right file names.

    Just recently I had someone swipe my whole stylesheet and used it for herself when I spent almost a day recreating it and validating it via jigsaw.w3.org.

  10. t31os
    Member
    Posted 5 years ago #

    You want to hide code you're already passing along to the browser?

    That's pointless, if you pass the content to the browser, then it will be viewable...

    The .htaccess line above will stop directory browsing, but it won't stop people finding it...

    If you want to stop people accessing the code, well you can't without stopping it being passed to the browser...

    Use .htaccess as above or just add empty index.php or index.html files into those directories.

    PHP files won't give out any data anyway.... try it, access one of the PHP files directly, hit View Source and see what you get...

    PHP is server-side code, unlike HTML and CSS which runs as client-side..

  11. Roy
    Member
    Posted 5 years ago #

    Chanel, I see your point. I've Googled around a bit and ran into this:
    webmasterworld.com/apache/3180546.htm

    I can't try it from here (work), but it at least sounds like something.

  12. chanel
    Member
    Posted 5 years ago #

    I see what you're saying t31os. I never thought of it that way. I do have a default index.html in each of my directories to prevent people from viewing my files (ie: http://diaryofchanel.com/wp-content/themes/)

    Thanks for the link Gangleri. I'm reading it now.

Topic Closed

This topic has been closed to new replies.

About this Topic