Blocking Web Access to the WordPress Includes Folder.
Here in this article, we will learn how to Secure WordPress includes Folder. It is very necessary to understand it. How people access the contents on the server.
WordPress just set of folders and files sit on the server or on the web, and that means anyone can gain the access to to the files and folders. By simply putting the URL that targets these files and folders and sees what is inside it.
So, How you want to avoid this kind of cause. A clever person gets access to WordPress includes folder and wp.config.php file and might be able to do something make bad with your site.
So what can we do in that situation? We have to add extra codes to the server configuration file. So that if someone manages, somehow find the address wp-include folder or wp.config.php file, to be redirected out again and never be able to access these files or the folders.
For doing this, we need to make changes in the server access file (.htaccess)now here we can do some coding. I mean very complex coding. So, to keep the same.
Remember this code will be inserted or go in the file (.htaccess). This file is created by the WordPress or Server that allows to sever rewrite URL as they come in.
- First You have to your Cpanel Account==>File Manager==>Public_html.
- There you have to open your as I mentioned already .htaccess file. (If You did not see the file==>go to setting==>show hidden files.
- Open .htaccess file and paste the following code.
Note: How paste the code see below image.
# Block the include-only files.
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
Now this block of code that blocks access to include only files/folder.
This is advanced functionality of WordPress sits and it is the prime target of hackers if they want to insert malicious code into your site. So that rewrite-rule do, they redirect any traffic coming from the web, trying to gain access any of these folders, sends to back to the root folder of the site.
Means Front page of the site. That way no one can access core files within the WordPress and not able to add malicious code on your website.