Forums

WordPress › Support » Plugins and Hacks

[resolved] How the hell do I secure wp-includes and wp-content (18 posts)

  1. nemo-maritime
    Member
    Posted 3 years ago #

    How am I supposed to secure these files?? I have tried .htaccess and that did secure it, but it bloced access to some code from some other code and some parts of my site did not work, at least from the admin side. So my question is how in the hell am I supposed to secure these freakin files? I already have index in my wp-content, but I have seen that some sites block access to wp-includes and wp-content, how can I do this for blog security. Also, here is what I have for the .htaccess file now:

    For wp-includes:
    Order Allow,Deny
    Deny from all
    <Files ~ ".(css|jpe?g|png|gif|js)$">
    <Files ~ ".(/themes/)$">
    Allow from all
    </Files>

    For wp-content:
    Order Allow,Deny
    Deny from all
    <Files ~ "\.(css|jpe?g|png|gif|js)$">
    Allow from all
    </Files>

    <Files ~ ".(/themes/)$">
    Allow from all
    </Files>

  2. Roy
    Member
    Posted 3 years ago #

    Have a look at the Ask Apache Password Protect plugin. It'll do it for you. (and also wp-admin, wp-login.php (and logout) and optionally hotlinking and other things.)

  3. Ipstenu
    Half-Elf Support Rogue & Mod
    Posted 3 years ago #

    See also: Hardening WordPress

  4. nemo-maritime
    Member
    Posted 3 years ago #

    Thanks, thats someting else I'm also going to try, anyone know if that SSL is 2.7 compatible?

  5. whooami
    Member
    Posted 3 years ago #

    ...secure wp-includes and wp-content

    from what?

  6. nemo-maritime
    Member
    Posted 3 years ago #

    From people looking through it, from anything it needs to be secured from.... mostly from people looking through it, plus I just laerned about Options -Indexes today. Havent gotten to try it yet, but will soon. I'm still not sure how much of a security risk it is to let people look through it, at least besides others getting to know what plugins I am using and their security risks, I guess thats another thing I am wondering as well.

  7. whooami
    Member
    Posted 3 years ago #

    Options -Indexes

    will keep directories from being browsable.

    and if thats all your interested in, thats all you need.

    the rest of what you are doing is largely overkill.

    >> I'm still not sure how much of a security risk it is to let people look through it, at least besides others getting to know what plugins I am using and their security risks

    anyone with a brain doesnt need to look through wp-includes/ -- they can go grab the source files.

    disallowing browsing of your plugins directory is a good idea, but you can't and shouldnt rely on that as 'security'. LOTS of plugins advertise themselves withon your source -- they load files, plugin authors leave comments identifying the plugin name, etc..

  8. nemo-maritime
    Member
    Posted 3 years ago #

    Overkill yes, but is it overkill that can make a difference?

  9. whooami
    Member
    Posted 3 years ago #

    can? sure. no-one can say no to that question, because of how its worded :)

  10. nemo-maritime
    Member
    Posted 3 years ago #

    Hmmmm thats true and you have a good point there, will it make a difference? And to make it more interesting, lets imagine that it was a possible high target site :p would it make a difference then?

  11. whooami
    Member
    Posted 3 years ago #

    hypothetically speaking -- what you want to concern yourself with is that no-one can write to those directories.

    Browsing files is a nuisance. having the ability to write to a directory is bad.

    Lets pretend this is my site, and that I can do what I want..

    1. install suphp, and adjust permissions that take advantage of it being used.
    2. Make sure I have server logs that are being saved.

    For what its worth, unless you have the domain hackme.com or a site thats financial in nature, or has recently posted a challenge to hackers, I dont believe in the "possible high target" theory.

    Most, not all, but most exploited sites are the result of lucky script kiddies -- not unmitigated and unseen deliberate attempts. Thats not to say it doesnt happen -- I know it does, Ive seen it. Its just not the norm.

  12. nemo-maritime
    Member
    Posted 3 years ago #

    Thats what I was thinking, the script based attack, that is the main reason I am concerned with this. I thought that a lockdown like that would block it. But I guess all I really need is to have the right capability removed, and to do something like Options -Indexes would do what I am looking for. I just put it in the main .htaccess in the main WP directory right? The suphp logs what people send on the site, so that would also be helpful, I guess my questions are answered. I'm also looking into a Apache login password plugin, or a ssl plugin for logins. I was just looking to make it as secure as it sanely could.

  13. nemo-maritime
    Member
    Posted 3 years ago #

    For Options -Indexes, does it go into each .htaccess file of the directory I am trying to block, or does it go into the main .htaccess in the folder I have WordPress set up?

  14. nemo-maritime
    Member
    Posted 3 years ago #

    Anyone got anything? Searched Google, but all I find is Options for the menu, and tabs.

  15. figaro
    Member
    Posted 3 years ago #

    I believe if you just put Options -Indexes in the .htaccess in public_html then it will prevent any directory in public_html from being browsed...it seems to be working that way on my sites.

  16. whooami
    Member
    Posted 3 years ago #

    nemo,

    ...does it go into each .htaccess file of the directory I am trying to block, or does it go into the main .htaccess in the folder I have WordPress set up?

    Just the top most is fine, .htaccess files are hierarchical.

  17. nemo-maritime
    Member
    Posted 3 years ago #

    I put it in the main .htaccess, where wp-config resides, but I still have a small issue. It wont allow the WordPress 2.7 admin tools to use the ajax feature. So its still the same issue I have had with blocking the folders completely. It lets me log in and all (only through wp-admin, wp-login redirects to 404), but none of the drop down options work from the dashboard. Thought I'd ask since I think its supposed to work with no prob.

    EDIT - it actually doesn't look like it has anything to do with that code anymore. I have taken it out, along with any other .htaccess, but it still wont let the Ajax feature/drop down features work.

  18. nemo-maritime
    Member
    Posted 3 years ago #

    Never mind, I got it. I had to use a different ftp program. The one I used did not get it off. I tried checking it with DW and it got it off. It works great. Thank you for all of the help, I would have never gotten done without it.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags