Securing wp-includes with Firewall

I’m trying to improve WordPress security via Firewall Rules. I found some useful tips for login and /wp-admin but now I’m trying to deploy right rule for /wp-includes

In Codex there is this for .htaccess:
# Block the include-only files.

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

My rule which I was testing is:

(http.request.uri.path contains "/wp-includes" and http.referer eq "")

I didn’t found any issue yet, but maybe somebody will know what problems I can encounter with this. I’ll appreciate feedback and modifications. Thanks!

Drop the http.referer clause.

Also, your rule does not cover “wp-admin”, so you should change it to the following

(http.request.uri.path contains "/wp-includes" or http.request.uri.path contains "/wp-admin/includes")

I have /wp-admin covered by separate rule. But if I drop referer it break admin parts for logged in users.

These files should never be requested by the browser anyhow, should they?

Anyhow, if you need the referrer you can add that

http.referer contains ""

Though I’d discourage that as the referrer can be easily faked.

CSS for Admin Bar is requested (located in /wp-includes) when logged in. With referrer it seems working same as htaccess rule. My goal is to improve security while everthing will work as it should.

Well, your original Apache configuration does not seem to cover the referrer, but anyhow, if it works, it works :slight_smile:

I meant that result is same :wink: If there is way, how to omit referrer, I’m down for it.

This topic was automatically closed after 30 days. New replies are no longer allowed.