Which of WordPress’s .php files need to be directly accessible via HTTP?

I’m trying to tighten up security on my WordPress installation, and one of the things that seems like it might be a good idea is preventing all of the internal-use .php files from being accessed directly via HTTP. For instance, http://MYSITE/blog/xmlrpc.php needs to remain directly accessible, but there’s no reason why http://MYSITE/blog/wp-load.php shouldn’t give a 404.

The question is: Where do I get a complete list of stock WordPress .php files that can legitimately appear in URLs?

Read More

Also, I use mod_rewrite to remove the top-level index.php from all my published URLs — does that mean I can block direct use of http://MYSITE/blog/index.php?whatever?

Related posts

Leave a Reply

1 comment

  1. Correct me if I’m wrong, but far as I know, You don’t access directly to any of the files, the apache user does. Meaning, the user browser talks to the server’s httpd process which will get the file from the filesystem.
    So, i think that if you get a 404 on the browser when directly requesting a file, you will get the same 404 error when using the links on the wordpress pages.

    I understand your point, I just don’t know if it is possible.

    About blocking requests based on the address, I think you should look at the specs of the .htaccess file. The WordPress uses this file to config the permalinks.