Protect WP-INCLUDES Folder For an Extra Security Layer in WordPress
June 3rd, 2017 | by Ravi Chahar || Leave a comment |
Just like all the other WordPress directories, you should protect wp-includes folder. It consists some scripts which shouldn’t be accessed by any user.
Every time you read about WordPress security, you may notice about protecting the wp-config.php file, the wp-content folder, password protect your admin directory and a lot more.
But only a few guides consists the concept of blocking the users’ access to the wp-includes folder.
It’s because it should be done only if you have a single site. For the multisite, you may have to edit the code. Anyways, in this tutorial, you will learn the best way to protect wp-includes folder.
Blocking the Access Using the .htaccess File
No doubt that the .htaccess file is the most useful file present in the WordPress directory.
For all the security steps, you need to add some extra code in this file, Whether you disable directory browsing or disable PHP execution, you would require this file to get edited.
Just like all, you have to add a code today.
I am sure, you know how to edit the .htaccess file. If you don’t have any problem with the cPanel then it can be directly edited from there.
Otherwise, if you use the Yoast SEO plugin then edit it from the WordPress admin panel.
Go to SEO>>Tools>>File Editor and will see the codes present in the .htaccess file.
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
Add this code in the file and save.
NOTE: Make sure you add either at the start or end of the existing code. Don’t add between #BEGIN WordPress and #END WordPress tags.
It’s because WordPress because overwrites the code present between these tags.
According to the WordPress developers, you should add the code you want to work for security outside of these two tags.
Here you’re going to protect wp-includes folder by blocking the access.
The scripts present in this folder are hard to understand by many. So you don’t need to worry about what’s inside. Just add the code and save.
This code is helpful because sometimes the hackers enter to your website with a fake user and try to inject the scripts.
But once you disallow the access, no one would able to inject any type of the code. It can help you secure your website for sure.
You would also be interested in knowing the website security tips.
There are many common steps which can be taken. But with the use of the .htaccess file, you can apply almost every possible security.
Adding one more layer to your WordPress website is always the best idea. When it comes to the login page security, you can add a security question, remove password lost link, change login error message and more.
Can You Now Protect wp-includes Folder of Your WordPress Website
There is always a concern regarding the security of a WordPress website. The bots keep scanning for the websites with vulnerabilities.
You should remove all the possibilities to create a backdoor to your website. The hackers try to inject any malicious code in any of the WordPress files.
They can run a script using the wp-includes folder. And you shouldn’t let that happen. Isn’t that easy to protect wp-includes folder?
It’s worthy when you use the code. Many people complain about the coding and demand to have an easy method.
Well, if you use a security plugin which can block the access of all the users then enable this feature. If you face any problem, feel free to drop a comment.
You can also connect with us on Twitter, LinkedIn, and Facebook.
This looks really great Ravi. I am definitely going to try this out.
Thank you for sharing.