Firewall Rule to block access to php files


I would like to create a Firewall rule that would block access to php files in the wp-content folder (that way it would protect both themes and plugins). I added a rule someone else suggested on another post, but when I test and go to a url to a php file in one of my plugins folders, I get a white page not an action denied 1020 message, so I don’t think it’s working.

This is the rule I deployed:

(http.request.uri.path contains " /wp-content/" and http.request.uri.path contains “.php”)

This other one is working and shows a 1020, however, I believe this would only protect the php inside the plugins folders, thus not the themes:

(http.request.uri.path contains “/wp-content/plugins” and not http.referer contains “”)

Can anyone provide a rule to protect all php files within the content folder? Or any ideas why the first rule doesn’t seem to be working?


Try getting rid of the dot in front of php. I’ve had problems with leading dots in Firewall Rules.

Though my opinion is that this protection is unnecessary unless your site has an underlying vulnerability that shouldn’t be there in the first place.

Thanks for the suggestion @sdayman. I just tried removing the . before php, but still the rule doesn’t seem to take – no 1020 access denied message, just a blank page.

Any rule in mind that would protect the theme’s php files? I can have 2 separate rules: one for plugins, already working, and one for the theme.

Would something like this work?

(http.request.uri.path contains “/wp-content/themes” and not http.referer contains “”)

Thanks for your help!


http.request.uri contains "php"

This way you will block access to all .php files.

When you need to login, you will temporary add your IP to Whitelist in IP Access Rules in Tools.

You can find your IP at this link.

Wouldn’t that create issues since all WP php files would get blocked? @kunal.desai1

Yes. All WP files will get blocked but you can temporary whitelist your IP when you need to login. Delete once your work is over.

You can find your IP at this link.

This topic was automatically closed after 30 days. New replies are no longer allowed.