Hardening wordpress: blocking /includes with htaccess

This page

https://wordpress.org/support/article/hardening-wordpress/

says this should be included in the .htaccess file to block requests for files inside the includes dir.

# Block the include-only files.
IfModule mod_rewrite.c
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
/IfModule


# BEGIN WordPress
...

How does that work ? As far as I can read it, it only specifies not to rewrite certain urls (using -), and then fails to actually rewrite all other requests. Is there something missing ?

Topic include htaccess customization Wordpress

Category Web

1
answered at

You ask:

How does that work ? As far as I can read it, it only specifies not to rewrite certain urls (using -),

These files are included within the WordPress PHP scripts, so there's no need to access them in the browser, but notice the rewrite flags.

Here's some information on the F, L and S flags from the Apache docs:

Using the [F] flag causes the server to return a 403 Forbidden status code to the client.

When using [F], an [L] is implied - that is, the response is returned immediately, and no further rules are evaluated.

The [S] flag is used to skip rules that you don't want to run. The syntax of the skip flag is [S=N], where N signifies the number of rules to skip (provided the RewriteRule matches). This can be thought of as a goto statement in your rewrite ruleset.

You ask:

and then fails to actually rewrite all other requests.

no, all other HTTP requests, that do not match the security rewrites, go to the # BEGIN WordPress part

So let's check out the number of files affected by these security rewrite rules:

http://example.com/wp-admin/includes/*                 -  62 PHP files
http://example.com/wp-includes/*.php                   - 110 PHP files
http://example.com/wp-includes/theme-compat/*          -   5 PHP files
http://example.com/wp-includes/js/tinymce/langs/*.php  -   0 PHP files

according to my WordPress 3.9.1 install.

About

Geeks Mental is a community that publishes articles and tutorials about Web, Android, Data Science, new techniques and Linux security.