Forbid access to php into “wp-content”.

I expected in few articles an advice to disable direct access to php scripts into “/wp-content/uploads” i done small research and observed, than .php placed into “/wp-content” and into subdirs was newer directly accessed thru web. So i just completely disabled direct access to php scripts placed into that dir and subdirs. Looks more securely.

PS
I made mistake. At least tiny-mce php scripts must be accessible thru web. So i just convert  this rules that touch ‘/wp-include’ for nginx:

location ~* /wp-includes {
	location ~* /wp-includes/[^/]+\.php$ {
		deny all;
	}
	location ~* /wp-includes/js/tinymce/langs/.+\.php$ {
		deny all;
	}
	location ~* /wp-includes/theme-compat {
		deny all;
	}
	location ~ /wp-includes/.+\.php$ {
		include php_wordpress_handler;
	}
}

Tags: , , ,

Posted in Web related


Leave a Reply

Your email address will not be published. Required fields are marked *


Powered by WordPress. Designed by Försäkra Online.