Hide WP-includes, WP-content/uploads from Your WordPress Site
WordPress CMS, one of the highly recommended content management systems and used by most businesses, students and professionals, is also one of the most vulnerable when it comes to online attacks. While most online attacks result from unpatched versions and vulnerable plugins, another source of WordPress data theft is access to disclosure of essential WordPress elements. Take, for instance, Directory Browsing.
It often happens that when your web server is unable to find an index file (i.e. a file like index.php or index.html), by default it displays an index page revealing contents of the directory
Rendering such information public reveals the important information needed to exploit a potential vulnerability in the WordPress theme, plugin or the server, and could make your site vulnerable to hackers
Contents of This Guide
Why hide WordPress Folders from Public?
Owing to an increased number of WordPress CMS attacks, it is essential to Disable Directory Browsing. Hackers can exploit directory browsing to reveal files with known vulnerabilities, and in turn exploit it to gain unauthorized access. Moreover, directory browsing can be used by outsiders to mimic contents of your file, discover your directory structure and other information. Which is why it imperative to directory indexing and browsing.
This can be done by modifying your .htaccess file. The .htaccess file is a server configuration file which essentially allows the user to define rules for his server to follow for his website. The .htaccess file is located in your WordPress site’s root folder. To edit it, you’ll need to connect to your website using an FTP client. It is important to note that before beginning to edit your .htaccess file, it is important to download a copy of it to your computer as a backup to be used in case anything goes wrong.
Download The Ultimate WordPress Security Checklist compiled by security experts with years of experience in WordPress security.
How to Hide WP-content/uploads from Your WordPress?
One can easily hide a certain folder from being accessible to the public by modifying the .htaccess file a little bit. To hide “Uploads” folder from the public:
- Open your FTP client
- Navigate to wp-content/uploads
- Create a new file and name it “.htaccess” and open it
- Copy and paste the following code into the file:
Order Allow,Deny Deny from all Allow from all
- Save changes
- Navigate to http://yourdomain.com/wp-content/uploads/ where you should now get 404 error or a blank page which doesn’t show the content of your upload folder.
How to Hide WP-includes from Your WordPress
It is important to restrict access to the WP-includes folder as it contains files strictly meant to run the core version of WordPress. This is the one without any plugins or themes and houses the default theme in the wp-content/theme directory. Access to the includes folder can be disabled using the following code snippet in the .htaccess file :
# Block wp-includes folder and files <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
How to Hide WP-admin aka WP-login
We all know that the default URL for visiting login page of any WordPress site is site-name/wp-admin. However, exposing your default admin login page can invite hackers to inspect it, and even figure out your credentials. Therefore, it is essential to hide your wp-admin and wp-login page to not only make it more complex for hackers to crack but also you will also get an extra protection from the non-hacker communities.
- Login to your server dashboard. Go to your public_html folder in Cpanel & open your .htaccess file in the code editor. If it is not visible to you, Enable the option “show hidden files” under visibility and then edit it.
- Add the following code at the beginning of your .htaccess file. It might be containing some codes, but you have to paste this at the beginning of every code.
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist <span style="color: #00ff00;">Prakhar IP</span> address allow from <span style="color: #00ff00;">xx.xx.xx.xxx</span> # whitelist <span style="color: #00ff00;">Satyansh IP</span> address allow from <span style="color: #00ff00;">xx.xx.xx.xxx</span> </LIMIT>
- Replace the green texts with name and IP address of the devices (computers, laptops, smartphones) of yours. The Number of users can be increased by repeating the same code i.e. #whitelist username address
Above listed WordPress hacks are some of the many htaccess hacks which can be used to strengthen your WordPress site.
Also, check our post on How to Secure Your WordPress Admin from Hackers.
For the comprehensive security of WordPress sites, it is advised to use Astra for WordPress Security Astra seamlessly integrates with WordPress websites and simplifies regular security checks via a simple dashboard feature.