Support » Fixing WordPress » Deny Access To Folders

  • Resolved chanel

    (@chanel)


    Is there a way to deny direct access to my WordPress plugins, themes and subfolders?

    I would like to disable access to things like my wordpress stylesheets and uploaded images when the address is typed into the address bar.

Viewing 11 replies - 1 through 11 (of 11 total)
  • If you just want to disable browsing of those files there are several ways to do it, but a simple way (if you are using a Linux server) is to add the following line to the .htaccess file in your root directory.

    Options -indexes

    Morning figaro!

    The last few lines in my .htaccess is

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    So after i add what you told me, it should look like this?

    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>

    Options -indexes

    Morning…Yes, that should work…give it a try see what happens.

    I did it and it did not work.

    For example, I can still access this page:
    http://diaryofchanel.com/wp-content/themes/default/style.css

    Yes, that doesn’t stop someone from directly accessing a file if they know or find the file path/name…it stops them from browsing your directories if they don’t know the file names.

    I’m not sure there is a way to prevent this…maybe others have some ideas.

    I use the Ask Apache Password Protect plugin to put passwords to my admin and content folder, but that doesn’t prevent people from viewing my stylesheet either. Never really thought about it why…

    [edit] just a thought, but only the browser ‘looks at’ the htaccess and the stylesheet is opened in notepad, perhaps that’s why.
    In any case, I personally find it more important that people (or bots) can’t just access my admin and content folders than that people can’t see my stylesheet.

    I think the style sheets have to be available for the site to render properly in the browser…if there is a way to protect them, I’m not aware of it.

    Thanks figaro & Gangleri.

    The reason why I am looking for this is because I’m having bit of a problem with people “digging” through my wp files. It’s a little bit annoying because you can spend hours tweeking a theme’s css or even create your own theme for your own personal usage and anyone can pretty much take it if they knew the right file names.

    Just recently I had someone swipe my whole stylesheet and used it for herself when I spent almost a day recreating it and validating it via jigsaw.w3.org.

    You want to hide code you’re already passing along to the browser?

    That’s pointless, if you pass the content to the browser, then it will be viewable…

    The .htaccess line above will stop directory browsing, but it won’t stop people finding it…

    If you want to stop people accessing the code, well you can’t without stopping it being passed to the browser…

    Use .htaccess as above or just add empty index.php or index.html files into those directories.

    PHP files won’t give out any data anyway…. try it, access one of the PHP files directly, hit View Source and see what you get…

    PHP is server-side code, unlike HTML and CSS which runs as client-side..

    Chanel, I see your point. I’ve Googled around a bit and ran into this:
    webmasterworld.com/apache/3180546.htm

    I can’t try it from here (work), but it at least sounds like something.

    I see what you’re saying t31os. I never thought of it that way. I do have a default index.html in each of my directories to prevent people from viewing my files (ie: http://diaryofchanel.com/wp-content/themes/)

    Thanks for the link Gangleri. I’m reading it now.

Viewing 11 replies - 1 through 11 (of 11 total)
  • The topic ‘Deny Access To Folders’ is closed to new replies.