WordPress Security

Hide WP-includes, WP-content/uploads from Your WordPress Site – FREE Plugin & Via .htaccess

Updated on: May 4, 2020

Hide WP-includes, WP-content/uploads from Your WordPress Site – FREE Plugin & Via .htaccess

WordPress is undoubtedly one of the highly recommended content management systems. 75 million websites including businesses, blogs, professionals, and entertainment are currently built on WordPress. This also classifies it as one of the most vulnerable when it comes to online attacks. While most online attacks result from unpatched versions and vulnerable plugins, another source of WordPress data theft is access to disclosure of essential WordPress elements. Take, for instance, Directory Browsing.

It often happens that when your web server is unable to find an index file (i.e. a file like index.php or index.html), by default it displays an index page revealing contents of the directory.

Hide WP-includes, WP-content/uploads from Your WordPress Site

You can easily fix directory browsing in a single click with the WP-Hardening plugin. WP-Hardening is a one-stop solution to fix most of your WordPress security woes.

Here is how it works:

  1. Install the WP Hardening Plugin and activate it. It will render in the bottom left corner of your admin panel.
  2. Go to the “Security Fixers” tab.

Hide WP-includes
Hiding WP-includes with WP-Hardening plugin
  • Navigate to “Server Hardening” and just toggle the key next to “Hide Directory Listing of WP includes.
  • And Hurray! You’re done. You have fixed 12+ security issues with just a click.
  • Rendering such information public could make your site vulnerable to hackers. As it reveals the important information needed to exploit a potential vulnerability in the WordPress theme, plugin or the server to the hackers.

    Why hide WordPress Folders from the Public?

    Owing to an increased number of WordPress CMS attacks, it is essential to Disable Directory Browsing. Hackers can exploit directory browsing to reveal files with known vulnerabilities, and in turn exploit it to gain unauthorized access. Moreover, directory browsing can be used by outsiders to mimic the contents of your file, discover your directory structure and other information. Which is why it is imperative to restrict directory indexing and browsing.

    This can be done by modifying your .htaccess file. The .htaccess file is a server configuration file which essentially allows the user to define rules for his server to follow for his website. The .htaccess file is located in your WordPress site’s root folder. To edit it, you’ll need to connect to your website using an FTP client. It is important to note that before beginning to edit your .htaccess file, it is important to download a copy of it to your computer as a backup to be used in case anything goes wrong.

    How to hide WP folders from public access?

    Add the following line of code to the .htaccess file in your website root.

    Options -Indexes

    This will prevent directory listing across the website.

    How to hide the WordPress login URL?

    WordPress login URL can be hidden via multiple methods:

      1. Install WPS Hide Login plugin for WordPress. This enables you to specify a custom URL for your WordPress login. The new URL can be specified under the WPS Hide Login section in the WordPress Settings. In case a caching plugin is used on the website, the new login page should be added to the list of pages that are excluded from caching.
      2. By whitelisting IP addresses. In this method, only the whitelisted IP addresses can access the wp-login page and every other IP will be shown an error message. This method is recommended if you have a static IP and not many people requiring access to your WordPress admin panel. All you need to do is add the following code in your .htaccess file and replace the “!^123\.123\.123\.123$”.

    <IfModule mod_rewrite.c>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
    RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteRule ^(.*)$ - [R=403,L]
    </IfModule>

    In case multiple IP addresses needs to be added, just add a new line for each, as shown below.

    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
    RewriteCond %{REMOTE_ADDR} !^223\.223\.223\.223$

    Your login page will now only be visible to these IP addressess.

    How to Hide WP-content/uploads from Your WordPress?

    One can easily hide a certain folder from being accessible to the public by modifying the .htaccess file a little bit. To hide “Uploads” folder from the public:

      1. Open your FileZilla.”>FTP client
      2. Navigate to wp-content/uploads
      3. Create a new file and name it “.htaccess” and open it
      4. Copy and paste the following code into the file:
        Order Allow,Deny
        Deny from all
        
         Allow from all
        
      5. Save changes
      6. Navigate to http://yourdomain.com/wp-content/uploads/ where you should now get 404 error or a blank page which doesn’t show the content of your upload folder.

    How to Hide WP-includes from Your WordPress

    It is important to restrict access to the WP-includes folder as it contains files strictly meant to run the core version of WordPress. This is the one without any plugins or themes and houses the default theme in the wp-content/theme directory. Access to the includes folder can be disabled using the following code snippet in the .htaccess file :

    # Block wp-includes folder and files
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^wp-admin/includes/ - [F,L]
    RewriteRule !^wp-includes/ - [S=3]
    RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
    RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
    RewriteRule ^wp-includes/theme-compat/ - [F,L]
    </IfModule>

    How to Hide WP-admin aka WP-login

    We all know that the default URL for visiting the login page of any WordPress site is site-name/wp-admin. However, exposing your default admin login page can invite hackers to inspect it, and even figure out your credentials. Therefore, it is essential to hide your wp-admin and wp-login page to not only make it more complex for hackers to crack but also to get extra protection from the non-hacker communities.

    Related Guide – Complete Guide to WordPress Security (Reduce the risk of Hacking by 90%)

    1. Login to your server dashboard. Go to your public_html folder in Cpanel & open your .htaccess file in the code editor. If it is not visible to you, Enable the option “show hidden files” under visibility and then edit it.
    2. Add the following code at the beginning of your .htaccess file. It might be containing some codes, but you have to paste this at the beginning of every code.
      AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist <span style="color: #00ff00;">Prakhar IP</span> address allow from <span style="color: #00ff00;">xx.xx.xx.xxx</span> # whitelist <span style="color: #00ff00;">Satyansh IP</span> address allow from <span style="color: #00ff00;">xx.xx.xx.xxx</span> </LIMIT>
    3. Replace the green texts with the name and IP address of the devices (computers, laptops, smartphones) of yours. The number of users can be increased by repeating the same code i.e. #whitelist username address

    Above listed WordPress hacks are some of the many htaccess hacks to strengthen your WordPress site. Also, Here’s a video for steps you need to follow additionally to super secure your WordPress site.

    Get the ultimate WordPress security checklist with 300+ test parameters

    For the comprehensive security of WordPress sites, it is advised to use Astra for WordPress Security Astra seamlessly integrates with WordPress websites and simplifies regular security checks via a simple dashboard feature. 

    Was this post helpful?

    Tags: , , ,

    Naman Rastogi

    Naman Rastogi is a Growth hacker and digital marketer at Astra security. Working actively in cybersecurity for more than a year, Naman shares the passion for spreading awareness about cybersecurity amongst netizens. He is a regular reader of anything cybersecurity which he channelizes through the Astra blog.Naman is also a jack of all trade. He is certified in market analytics, content strategy, financial markets and more while working parallelly towards his passion i.e cybersecurity.When not hustling to find newer ways to spread awareness about cybersecurity, he can be found enjoying a game of ping pong or CSGO.

    11
    Questions? Got something to add? Let’s Talk

    avatar
    7 Comment threads
    4 Thread replies
    0 Followers
     
    Most reacted comment
    Hottest comment thread
    8 Comment authors
    Naman RastogiFosterManojMainulGemma S Recent comment authors

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    newest oldest most voted
    Sashi
    Guest
    Sashi

    Very Interesting reading and tips! Thanks
    I do have a question. How do I hide the contents of my website, like Theme, Wp-content, plugin folders from being view thru the source code like Developer Tools?
    Thank you once again.

    Mark
    Guest

    Thanks for this great information I really love it

    Jaspreet
    Guest
    Jaspreet

    Hi There,
    Just a query. Does hiding wp from URLs affect The YSLOW Score on GTMetrix.

    Gemma S
    Guest
    Gemma S

    Hey, thanks. I used the other option combined with this and it worked.

    Mainul
    Guest
    Mainul

    This tutorial really help to understand WordPress Security is essential for every website. Hi i have an question and that how can i hide my cms information using htaccess. Please help me to do this.

    Thanks a lot.

    Manoj
    Guest

    How to Hide WP-content/uploads?
    I have pasted the code in .htaccess under /wp-content/uploads, but now structure of my site broken. Also i cant see any images.
    Removing the code bring back my site to the original one.

    Foster
    Guest

    Thanks a lot, sir. That was exactly what I was looking for. How do I find the IP address of my network? Since I usually change my network a lot.

    Psst! Hi there. We’re Astra.

    We make security simple and hassle-free for thousands
    of websites and businesses worldwide.

    Our suite of security products include firewall, malware scanner and security audits to protect your site from the
    evil forces on the internet, even when you sleep.

    earth spiders cards bugs spiders

    Made with ❤️ in USA France India Germany