my root php directly accessible, i’ve tried to block it but unsuccessful

0 Views

On my site (WP), some php directly accessible, this is one of them example/wp-settings.php

Resulting:

Read More

Warning: require(ABSPATHwp-includes/load.php): failed to open stream: No such file or directory in /home1/hidden/public_html/wp-settings.php on line 21

Warning: require(ABSPATHwp-includes/load.php): failed to open stream: No such file or directory in /home1/hidden/public_html/wp-settings.php on line 21

Fatal error: require(): Failed opening required ‘ABSPATHwp-includes/load.php’ (include_path=’.:/opt/php54/lib/php’) in /home1/hidden/public_html/wp-settings.php on line 21

I’ve tried this on .htaccess 

<Files *.php>
    Order Deny,Allow
    Deny from all
    Allow from 127.0.0.1
</Files>

<Files index.php>
    Order Allow,Deny
    Allow from all
</Files>

Blocking direct access but allowing access from server, but this resulting error on my dashboard, many control inaccessible.

I also already tried some other thing similar to this, but none of them worked

I’m not gonna specifically block direct access wp-settings.php because I’m sure there are others php files that need to blocked from direct access.

My question, how to block direct access to php, my server able to access php and all WP dashboard control functioning properly

Thanks

Post Views: 0

Related posts

2 comments

  1. Add following line at top of file wp-settings.php

    <?php if ( ! defined('ABSPATH')) exit('No direct script access allowed');

    Restrict All Access to wp-includes

    # Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

  2. I added this to my .htaccess:

    <Files error_log>
    Deny from all
</Files>
<Files wp-settings.php>
    Deny from all
</Files>
<Files wp-config.php>
    Deny from all
</Files>
<Files wp-config-sample.php>
    Deny from all
</Files>
<Files wp-load.php>
    Deny from all
</Files>
<Files wp-blog-header.php>
    Deny from all
</Files>

    It seems the only way to answer this question is to simply enumerate all the files in the root that are include files (and surely should be in wp-includes!).

    There’s then the problem of what to put in the wp-includes/.htaccess file. I’m still working on that. It should be just a case of denying access to everything, but I suspect it’s not as simple as that – if I remember correctly, doing this kills the editor.

Comments are closed.