WordPress Security

Hide WP-includes, WP-content/uploads From Your WordPress Site – FREE Plugin & Via .htaccess

Updated on: November 30, 2021

Hide WP-includes, WP-content/uploads From Your WordPress Site – FREE Plugin & Via .htaccess

WordPress is undoubtedly one of the highly recommended content management systems. 75 million websites including businesses, blogs, professionals, and entertainment are currently built on WordPress. This also classifies it as one of the most vulnerable when it comes to online attacks. While most online attacks result from unpatched versions and vulnerable plugins, another major source of WordPress data theft is access to disclosure of essential WordPress elements. Take, for instance, Directory Browsing.

It often happens that when your web server is unable to find an index file (i.e. a file like index.php or index.html), by default it displays an index page revealing contents of the directory.

Hide WP-includes, WP-content/uploads from Your WordPress Site
Directory Browsing in WordPress

You can easily fix directory browsing with a click of a button with the WP-Hardening plugin. WP-Hardening is a one-stop solution to fix most of your WordPress security woes.

Here is how it works:

Hiding WP-includes with WP-Hardening
WP Harden
  • Go to the “Security Fixers” tab.
  • Navigate to ‘Server Hardening‘ and just toggle the key next to ‘Hide Directory Listing of WP includes.’
Hide WP-includes
Hiding WP-includes with WP-Hardening plugin
  • And you’re done!

Rendering such information public could make your site vulnerable to hackers. As it reveals the important information needed to exploit a potential vulnerability in the WordPress theme, plugin, or the server to the hackers.

Why hide WordPress folders from the public?

Owing to an increased number of WordPress CMS attacks, it is essential to Disable Directory Browsing. Hackers can exploit directory browsing to reveal files with known vulnerabilities, and in turn exploit it to gain unauthorized access. Moreover, directory browsing can be used by outsiders to mimic the contents of your file, discover your directory structure, and other information. Which is why it is imperative to restrict directory indexing and browsing.

Related Guide – WordPress Malware Removal

This can be done by modifying your .htaccess file. The .htaccess file is a server configuration file that essentially allows the user to define rules for his server to follow for his website. The .htaccess file is located in your WordPress site’s root folder. To edit it, you’ll need to connect to your website using an FTP client. It is important to note that before beginning to edit your .htaccess file, it is important to download a copy of it to your computer as a backup to be used in case anything goes wrong.

How to hide WP folders from public access?

Add the following line of code to the .htaccess file in your website root:

Options -Indexes

This will prevent directory listing across the website.

How to hide the WordPress login URL?

WordPress login URL can be hidden via multiple methods:

  • With WP-Hardening: The WP Hardening plugin enables you to specify a custom URL for your WordPress login. The new URL can be specified under the ‘Security Fixers‘ section in the WordPress Settings. In case a caching plugin is used on the website, the new login page should be added to the list of pages that are excluded from caching.
Hide WP-includes
  • By whitelisting IP addresses: In this method, only the whitelisted IP addresses can access the wp-login page and every other IP will be shown an error message. This method is recommended if you have a static IP and not many people requiring access to your WordPress admin panel. All you need to do is add the following code in your .htaccess file and replace the “!^123\.123\.123\.123$”.
<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
 RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
 RewriteRule ^(.*)$ - [R=403,L]

In case multiple IP addresses need to be added, just add a new line for each, as shown below:

RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^223\.223\.223\.223$

Your login page will now only be visible to these IP addressess.

Protecting your WP admin page

How to hide WP-content/uploads from Your WordPress?

The wp-content folder appears in the main directory of any WordPress site. It is an important part of every WordPress installation and It contains plugins, themes, uploads, and debug.logs that are provided by the user and not stored on the database.

One can easily hide a certain folder from being accessible to the public by modifying the .htaccess file a little bit. To hide the “Uploads” folder from the public:

  1. Open your FTP client
  2. Navigate to wp-content/uploads
  3. Create a new file and name it “.htaccess” and open it
  4. Copy and paste the following code into the file:
    Order Allow, Deny
    Deny from all
    Allow from all
  5. Save changes.
  6. To verify the changes, navigate to http://yourdomain.com/wp-content/uploads/ where you should now get a 404 error or a blank page which doesn’t show the content of your upload folder.
Disabling Directory Listing in WordPress

How to hide WP-includes from Your WordPress

It is important to restrict access to the WP-includes folder as it contains files strictly meant to run the core version of WordPress. This is the one without any plugins or themes and houses the default theme in the wp-content/theme directory. Access to the includes folder can be disabled using the following code snippet in the .htaccess file :

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/.*\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

How to hide WP-admin aka WP-login

We all know that the default URL for visiting the login page of any WordPress site is site-name/wp-admin. However, exposing your default admin login page can invite hackers to inspect it, and even figure out your credentials. Therefore, it is essential to hide your wp-admin and wp-login page to not only make it more complex for hackers to crack but also to get extra protection from the non-hacker communities.

Experience Astra Web Protection Yourself With Our 7 Day Free Trial!

Astra stops 7 million+ nasty attacks every month! Secure your site with Astra before it is too late.

Related Guide – Complete Guide to WordPress Security (Reduce the risk of Hacking by 90%)

  1. Login to your server dashboard. Go to your public_html folder in Cpanel & open your .htaccess file in the code editor. If it is not visible to you, enable the option “Show hidden files” under visibility and then edit it.
  2. Add the following code at the beginning of your .htaccess file. It might be containing some codes, but you have to paste this at the beginning of every code.
    AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist <span style="color: #00ff00;">Prakhar IP</span> address allow from <span style="color: #00ff00;">xx.xx.xx.xxx</span> # whitelist <span style="color: #00ff00;">Satyansh IP</span> address allow from <span style="color: #00ff00;">xx.xx.xx.xxx</span> </LIMIT>
  3. Replace the green texts with the name and IP address of the devices (computers, laptops, smartphones) of yours. The number of users can be increased by repeating the same code i.e. #whitelist username address.

The above-listed WordPress hacks are some of the many htaccess hacks that strengthen your WordPress site.

Get the ultimate WordPress security checklist with 300+ test parameters

For the comprehensive security of WordPress sites, it is advised to use Astra for WordPress Security Astra seamlessly integrates with WordPress websites and simplifies regular security checks via a simple dashboard feature.

Tags: , , ,

Naman Rastogi

Naman Rastogi is a Growth hacker and digital marketer at Astra security. Working actively in cybersecurity for more than a year, Naman shares the passion for spreading awareness about cybersecurity amongst netizens. He is a regular reader of anything cybersecurity which he channelizes through the Astra blog. Naman is also a jack of all trade. He is certified in market analytics, content strategy, financial markets and more while working parallelly towards his passion i.e cybersecurity. When not hustling to find newer ways to spread awareness about cybersecurity, he can be found enjoying a game of ping pong or CSGO.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Newest Most Voted
Inline Feedbacks
View all comments
5 years ago

Very Interesting reading and tips! Thanks
I do have a question. How do I hide the contents of my website, like Theme, Wp-content, plugin folders from being view thru the source code like Developer Tools?
Thank you once again.

5 years ago

Thanks for this great information I really love it

4 years ago

Hi There,
Just a query. Does hiding wp from URLs affect The YSLOW Score on GTMetrix.

Gemma S
Gemma S
4 years ago

Hey, thanks. I used the other option combined with this and it worked.

4 years ago

This tutorial really help to understand WordPress Security is essential for every website. Hi i have an question and that how can i hide my cms information using htaccess. Please help me to do this.

Thanks a lot.

4 years ago

How to Hide WP-content/uploads?
I have pasted the code in .htaccess under /wp-content/uploads, but now structure of my site broken. Also i cant see any images.
Removing the code bring back my site to the original one.

4 years ago

Thanks a lot, sir. That was exactly what I was looking for. How do I find the IP address of my network? Since I usually change my network a lot.

3 years ago

That was really helpful. Thanks.

2 years ago

Thanks for this great information. This tutorial really help to understand WordPress Security is essential for every website.

2 years ago

Nice Naman, you can also hide the wp-content, wp-includes and other paths with Hide My WP Ghost from WordPress https://wordpress.org/plugins/hide-my-wp/. And don’t need to physically change them.

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany