I installed latest WordPress 3.5 in my CentOS server. When I tried accessing http://example.com/wp-includes/, I received a listing of the directory: (Index of wp-includes).
I added the following code at the top of .htaccess file, and it fixed the issue:
Options -Indexes
IndexIgnore .htaccess */.??* *~ *# */HEADER* */README* */_vti*
My problem
When I try accessing PHP files in wp-includes and wp-content using a web-browser (for example: http://example.com/wp-includes/class-smtp.php), it shows a blank screen. I think it should show “Permission denied” or something like this. Am I correct?
How can I achieve this? I’m concerned if my website is vulnerable to attacks. I am already aware of the Hardening WordPress article.
Here are my directory and file permissions:
wp-admin: 755wp-content: 755wp-includes: 755- Files have permission 644
The PHP files in the
wp-includesdirectory will do nothing when accessed directly. They are designed to beinclude()‘d in an existing PHP script, such as on the front-end or in the dashboard.Your
Options -Indexesentry in the.htaccessfile simply prevents a list of the files in a directory when noindex.phpis present. It’s good practice to use this on a live server. I’m not entirely sure what the second line does; you should most likely remove it.If you’re especially concerned about people attacking your server, you can prevent access to the
wp-includesdirectory completely. To do this, create a.htaccessfile inside thewp-includesfolder with the following content:If you want to protect your WordPress installation, one thing that I always do when I install WordPress is to protect my wp-admin folder (your login page). What I do is I create .htaccess file in wp-admin and allow only certain IPs to access this folder.
I think there’s some info on WordPress login page here: htaccess redirect
Also who is your host? Did you set this server up yourself? You should not be seing your index of wp-includes after you install WordPress. It has never happened to me before. :/