Support » Networking WordPress » Hardening WordPress: Securing wp-includes

  • Resolved mhulse


    This article talks about tips on securing a WP site:

    Securing wp-includes

    On my server, via WordPress multi-site setup, I found that this code:

    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]

    Generates a 403 Forbidden when I try to access the image here:


    … which appears to be a rewrite for this url:


    When I comment out this line:

    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

    The image is accessible.

    Any tips on how to fix? 🙂

Viewing 2 replies - 1 through 2 (of 2 total)
  • Moderator Ipstenu (Mika Epstein)


    🏳️‍🌈 Halfelf Rogue & Plugin Review Team Rep

    You can’t. There’s a file in /wp-includes/ called ms-files.php, which is used by WordPress multisite to generate images.

    I’ll document that in the codex.

    Thanks Ipstenu! I really appreciate the help. 🙂

    I am finding that there’s a ton of articles on the net about how to secure a WP site, but not as many that are specific to a WP multisite install.

    Anyway, thanks a billion for all of your pro help! You rock!!!! 😀


Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Hardening WordPress: Securing wp-includes’ is closed to new replies.