For security reasons I need to block access to scripts that will not be executed on a fresh WordPress installation.
Example:
- /index.php –> needs to be executable
- /wp-includes/cache.php –> should not be executed (it’s included in other files)
Anyone has information on which files are included and which actually need to be executable?
I want to build a list of valid files that can be executed via .htaccess, like this:
Update:
This is the .htaccess file I have – my actual question: Is this configuration complete, or do I need to allow more files for a fresh WordPress installation to work properly?
<IfModule mod_rewrite.c>
# ONLY ALLOW THESE SCRIPTS TO EXECUTE:
# == Login, Signup, Activate
RewriteRule ^wp-login.php - [L]
RewriteRule ^wp-activate.php - [L]
RewriteRule ^wp-signup.php - [L]
# == All admin scripts and WYSIWYG editor
RewriteRule ^wp-admin/ - [L]
RewriteRule ^wp-includes/js/tinymce/wp-tinymce.php - [L]
# == WP Cron and mail
RewriteRule ^wp-cron.php - [L]
RewriteRule ^wp-mail.php - [L]
# == WP Comments form
RewriteRule ^wp-comments-post.php - [L]
# (...) <-- I need to know which other files need to be allowed
# BLOCK ALL OTHER SCRIPTS
RewriteCond %{REQUEST_FILENAME} -f
RewriteRule \.(php.?|pl|cgi)$ - [F,L]
</IfModule>
3 Answers
Due to WP admin architecture this would be really inconvenient list to compile and maintain reliably.
My best educated guess is that many (but possibly not all and not just) of these files would need to require admin bootstrap (wp-admin/admin.php) to function.
I ran a quick search on respective directive with following results:
C:\server\www\dev\wordpress\src>ack --files-with-matches --literal "require_once( dirname( __FILE__ ) . '/admin.php' );"
wp-admin/about.php
wp-admin/admin-header.php
wp-admin/comment.php
wp-admin/credits.php
wp-admin/customize.php
wp-admin/edit-comments.php
wp-admin/edit-tags.php
wp-admin/edit.php
wp-admin/export.php
wp-admin/freedoms.php
wp-admin/import.php
wp-admin/index.php
wp-admin/link-add.php
wp-admin/link-manager.php
wp-admin/link.php
wp-admin/media-new.php
wp-admin/media-upload.php
wp-admin/media.php
wp-admin/ms-admin.php
wp-admin/ms-delete-site.php
wp-admin/ms-edit.php
wp-admin/ms-options.php
wp-admin/ms-sites.php
wp-admin/ms-themes.php
wp-admin/ms-upgrade-network.php
wp-admin/ms-users.php
wp-admin/my-sites.php
wp-admin/nav-menus.php
wp-admin/network/about.php
wp-admin/network/credits.php
wp-admin/network/edit.php
wp-admin/network/freedoms.php
wp-admin/network/index.php
wp-admin/network/plugin-editor.php
wp-admin/network/plugin-install.php
wp-admin/network/plugins.php
wp-admin/network/profile.php
wp-admin/network/settings.php
wp-admin/network/setup.php
wp-admin/network/site-info.php
wp-admin/network/site-new.php
wp-admin/network/site-settings.php
wp-admin/network/site-themes.php
wp-admin/network/site-users.php
wp-admin/network/sites.php
wp-admin/network/theme-editor.php
wp-admin/network/theme-install.php
wp-admin/network/themes.php
wp-admin/network/update-core.php
wp-admin/network/update.php
wp-admin/network/upgrade.php
wp-admin/network/user-edit.php
wp-admin/network/user-new.php
wp-admin/network/users.php
wp-admin/network.php
wp-admin/options-discussion.php
wp-admin/options-general.php
wp-admin/options-media.php
wp-admin/options-permalink.php
wp-admin/options-reading.php
wp-admin/options-writing.php
wp-admin/options.php
wp-admin/plugin-editor.php
wp-admin/plugin-install.php
wp-admin/plugins.php
wp-admin/post-new.php
wp-admin/post.php
wp-admin/press-this.php
wp-admin/revision.php
wp-admin/term.php
wp-admin/theme-editor.php
wp-admin/theme-install.php
wp-admin/themes.php
wp-admin/tools.php
wp-admin/update-core.php
wp-admin/update.php
wp-admin/upload.php
wp-admin/user/about.php
wp-admin/user/credits.php
wp-admin/user/freedoms.php
wp-admin/user/index.php
wp-admin/user/profile.php
wp-admin/user/user-edit.php
wp-admin/user-edit.php
wp-admin/user-new.php
wp-admin/users.php
wp-admin/widgets.php
