I’m trying to tighten up security on my WordPress installation, and one of the things that seems like it might be a good idea is preventing all of the internal-use .php files from being accessed directly via HTTP. For instance, http://MYSITE/blog/xmlrpc.php
needs to remain directly accessible, but there’s no reason why http://MYSITE/blog/wp-load.php
shouldn’t give a 404.
The question is: Where do I get a complete list of stock WordPress .php files that can legitimately appear in URLs?
Also, I use mod_rewrite to remove the top-level index.php
from all my published URLs — does that mean I can block direct use of http://MYSITE/blog/index.php?whatever
?
Correct me if I’m wrong, but far as I know, You don’t access directly to any of the files, the apache user does. Meaning, the user browser talks to the server’s httpd process which will get the file from the filesystem.
So, i think that if you get a 404 on the browser when directly requesting a file, you will get the same 404 error when using the links on the wordpress pages.
I understand your point, I just don’t know if it is possible.
About blocking requests based on the address, I think you should look at the specs of the .htaccess file. The WordPress uses this file to config the permalinks.