Support » Networking WordPress » Hardening WordPress: Securing wp-includes

  • Resolved mhulse

    (@mhulse)


    This article talks about tips on securing a WP site:

    Securing wp-includes

    On my server, via WordPress multi-site setup, I found that this code:

    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]

    Generates a 403 Forbidden when I try to access the image here:

    blog-name/files/2012/02/dim-sum-150×150.jpg

    … which appears to be a rewrite for this url:

    /wp-includes/ms-files.php

    When I comment out this line:

    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

    The image is accessible.

    Any tips on how to fix? 🙂

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Ipstenu (Mika Epstein)

    (@ipstenu)

    🏳️‍🌈 Advisor and Activist

    You can’t. There’s a file in /wp-includes/ called ms-files.php, which is used by WordPress multisite to generate images.

    I’ll document that in the codex.

    Thread Starter mhulse

    (@mhulse)

    Thanks Ipstenu! I really appreciate the help. 🙂

    I am finding that there’s a ton of articles on the net about how to secure a WP site, but not as many that are specific to a WP multisite install.

    Anyway, thanks a billion for all of your pro help! You rock!!!! 😀

    Cheers,
    Micky

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Hardening WordPress: Securing wp-includes’ is closed to new replies.