So in an honest attempt to harden the security of the WordPress sites I manage, I read numerous articles and posts online about how to do this. More than one source informed me to use an .htaccess file to restrict access to PHP files in the /wp-includes folder.
Now some of you at this point may already be laughing and saying to yourselves “You can’t do that”, I have since learned this. My thinking was that it was going to block clients from accessing PHP files and being able to extract more info about my site/server to be able to find a vulnerability to exploit, but it would still allow the server from the backend to access what it needed to run the site properly. I was wrong…
What these articles informed me to do was to create a file in the /wp-includes folder of my site called .htaccess and in this file have the following text:
deny from all
What this effectively did was stop the clients web browser from accessing any file ending in .php in that wp-includes folder. Surprisingly enough the only visible symptom I was seeing from this was that the visual editor wasn’t working when trying to edit a page or post.
What finally lead me to finding this as the culprit to my problem was the following line in the apache log file for my site:
18.104.22.168 – – [11/Feb/2015:10:43:51 -0500] “GET /wp-includes/js/tinymce/wp-tinymce.php?c=1&ver=4107-20141130 HTTP/1.1” 403 32
This is indicating the clients getting a 403 error while trying to access the wp-tinymce.php file, which is inside the wp-includes folder. Once I saw this, I remember that I had created the .htaccess file and it was apparently acting just like it should. So deleted the .htaccess file and refreshed the site in my browser and everything was working fine again.
So please learn from my experience and mistake, don’t follow the several articles that you will come across online on securing wordpress when they tell you to restrict access to PHP files in in the wp-includes folder.