I would like to create a Firewall rule that would block access to php files in the wp-content folder (that way it would protect both themes and plugins). I added a rule someone else suggested on another post, but when I test and go to a url to a php file in one of my plugins folders, I get a white page not an action denied 1020 message, so I don’t think it’s working.
This is the rule I deployed:
(http.request.uri.path contains " /wp-content/" and http.request.uri.path contains “.php”)
This other one is working and shows a 1020, however, I believe this would only protect the php inside the plugins folders, thus not the themes:
(http.request.uri.path contains “/wp-content/plugins” and not http.referer contains “mywebsite.com”)
Can anyone provide a rule to protect all php files within the content folder? Or any ideas why the first rule doesn’t seem to be working?
Thanks for the suggestion @sdayman. I just tried removing the . before php, but still the rule doesn’t seem to take – no 1020 access denied message, just a blank page.
Any rule in mind that would protect the theme’s php files? I can have 2 separate rules: one for plugins, already working, and one for the theme.
Would something like this work?
(http.request.uri.path contains “/wp-content/themes” and not http.referer contains “mywebsite.com”)