2

I am trying to secure my wordpress site through htaccess - By blocking php files from folders.

Example:

  1. Deny all php files in wp-content
  2. Allow php files in in wp-admin and wp-includes
  3. On home directory, allow index.php and allow all files with wp and deny all.

So Far:

Deny wp-config.php

<files wp-config.php>
order allow,deny
deny from all
</files>

Run only certain files (but i cant get directory to work on this level)

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>
Improve this question

1 Answer 1

Reset to default
2

You cannot match directories using Files directive.

Have these 2 rules as your very first rules in main WP .htaccess:

RewriteEngine On

RewriteRule ^/?wp-content/.+?\.php - [NC,F]

RewriteCond %{REQUEST_URI} !^/(index|wp.+?)\.php [NC]
RewriteRule ^/?[^./]+\.php - [NC,F]

Don't forget to remove all the Files blocks.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Would u recommend i do this at the httpd.conf
If you already have a WO .htaccess and might as well do it there. Alternatively you can do this in httpd.conf (see updated rules that will work in both places)
I want to be able to redirect it to the homepage if file is opened, anyway of doing that? code so far RewriteRule ^/?wp-content/.+?\.php$ / [NC,F] (want to be able to do it dynamically without entering in the url
You can do: RewriteRule ^/?wp-content/.+?\.php / [NC,L,R=302] for that.
this answer doesn't helped me at all
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.