I installed latest WordPress 3.5 in my CentOS server. When I tried accessing http://example.com/wp-includes/, I received a listing of the directory: (Index of wp-includes).
I added the following code at the top of .htaccess file, and it fixed the issue:
Options -Indexes
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
My problem
When I try accessing PHP files in wp-includes and wp-content using a web-browser (for example: http://example.com/wp-includes/class-smtp.php), it shows a blank screen. I think it should show “Permission denied” or something like this. Am I correct?
How can I achieve this? I’m concerned if my website is vulnerable to attacks. I am already aware of the Hardening WordPress article.
Here are my directory and file permissions:
wp-admin: 755wp-content: 755wp-includes: 755- Files have permission 644
2 s
The PHP files in the wp-includes directory will do nothing when accessed directly. They are designed to be include()‘d in an existing PHP script, such as on the front-end or in the dashboard.
Your Options -Indexes entry in the .htaccess file simply prevents a list of the files in a directory when no index.php is present. It’s good practice to use this on a live server. I’m not entirely sure what the second line does; you should most likely remove it.
If you’re especially concerned about people attacking your server, you can prevent access to the wp-includes directory completely. To do this, create a .htaccess file inside the wp-includes folder with the following content:
Deny from all
