WordPress Hardening – Securing wp-includes & wp-admin

  • Resolved oriver

    (@oriver)


    3 years ago

    Hi,

    I’ve implemented many steps mentioned in WordPress hardening article: https://wordpress.org/documentation/article/hardening-wordpress/#disable-file-editing

    Just wondering if anyone has used the below code to secure wp-incudes, and if so it’s been known to cause any problems? And if it’s easy to reverse by deleting the code from .htaccess?

    There’s just so little on this code online:

    # Block the include-only files.

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]

</IfModule>

    Additionally, if you password protect the wp-admin page, it stops AJAX and can break features in plugins etc. If you use the below code it still allows AJAX:

    <Files admin-ajax.php>

            Order allow,deny

            Allow from all

            Satisfy any

</Files>

    Seems to work, and no errors. But wondering if this is just band-aiding the AJAX problem. Has anyone got any experience using this too?

    Thanks

Viewing 2 replies - 1 through 2 (of 2 total)
  • Albert Bretado

    (@abretado1985)

    3 years ago

    It’s possible that this code could cause certain plugins to not work properly if they rely on files or directories that are being blocked by the mod_rewrite directives.

    For example, if a plugin needs to access a file within the wp-includes/ directory that is being blocked by the rule RewriteRule ^wp-includes/[^/]+\.php$ - [F,L], the plugin may not work as intended.

    However, if the plugins are properly developed and use the WordPress API to access files and directories rather than accessing them directly through the file system, then this code should not interfere with their normal operation.

    If you encounter any issues after adding this code, simply remove the code and everything should work as normal.

    Thread Starter oriver

    (@oriver)

    3 years ago

    Hi @abretado1985

    Thank you for your response, seems to work okay so far. Was just unsure, due to such little info online, if this was still a trusted code. But seems to work.

    Do you know anything about the Ajax code?

Viewing 2 replies - 1 through 2 (of 2 total)

The topic ‘WordPress Hardening – Securing wp-includes & wp-admin’ is closed to new replies.

Tags