I installed latest WordPress 3.5 in my CentOS server. When I tried accessing http://example.com/wp-includes/
, I received a listing of the directory: (Index of wp-includes).
I added the following code at the top of .htaccess
file, and it fixed the issue:
Options -Indexes
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
My problem
When I try accessing PHP files in wp-includes
and wp-content
using a web-browser (for example: http://example.com/wp-includes/class-smtp.php
), it shows a blank screen. I think it should show “Permission denied” or something like this. Am I correct?
How can I achieve this? I’m concerned if my website is vulnerable to attacks. I am already aware of the Hardening WordPress article.
Here are my directory and file permissions:
wp-admin
: 755wp-content
: 755wp-includes
: 755- Files have permission 644
2 s
The PHP files in the wp-includes
directory will do nothing when accessed directly. They are designed to be include()
‘d in an existing PHP script, such as on the front-end or in the dashboard.
Your Options -Indexes
entry in the .htaccess
file simply prevents a list of the files in a directory when no index.php
is present. It’s good practice to use this on a live server. I’m not entirely sure what the second line does; you should most likely remove it.
If you’re especially concerned about people attacking your server, you can prevent access to the wp-includes
directory completely. To do this, create a .htaccess
file inside the wp-includes
folder with the following content:
Deny from all