Hide WP-includes, WP-content/uploads From Your WordPress Site – FREE Plugin & Via .htaccess

WordPress is undoubtedly one of the highly recommended content management systems. 75 million websites including businesses, blogs, professionals, and entertainment are currently built on WordPress. This also classifies it as one of the most vulnerable when it comes to online attacks. While most online attacks result from unpatched versions and vulnerable plugins, another major source of WordPress data theft is access to disclosure of essential WordPress elements. Take, for instance, Directory Browsing.

It often happens that when your web server is unable to find an index file (i.e. a file like index.php or index.html), by default it displays an index page revealing contents of the directory.

You can easily fix directory browsing with a click of a button with the WP-Hardening plugin. WP-Hardening is a one-stop solution to fix most of your WordPress security woes.

Here is how it works:

• Install the WP Hardening Plugin and activate it. It will render in the bottom left corner of your admin panel.

• Go to the “Security Fixers” tab.
• Navigate to ‘Server Hardening‘ and just toggle the key next to ‘Hide Directory Listing of WP includes.’

• And you’re done!

Rendering such information public could make your site vulnerable to hackers. As it reveals the important information needed to exploit a potential vulnerability in the WordPress theme, plugin, or the server to the hackers.

Why hide WordPress folders from the public?

Owing to an increased number of WordPress CMS attacks, it is essential to Disable Directory Browsing. Hackers can exploit directory browsing to reveal files with known vulnerabilities, and in turn exploit it to gain unauthorized access. Moreover, directory browsing can be used by outsiders to mimic the contents of your file, discover your directory structure, and other information. Which is why it is imperative to restrict directory indexing and browsing.

Related Guide – WordPress Malware Removal

This can be done by modifying your .htaccess file. The .htaccess file is a server configuration file that essentially allows the user to define rules for his server to follow for his website. The .htaccess file is located in your WordPress site’s root folder. To edit it, you’ll need to connect to your website using an FTP client. It is important to note that before beginning to edit your .htaccess file, it is important to download a copy of it to your computer as a backup to be used in case anything goes wrong.

How to hide WP folders from public access?

Add the following line of code to the .htaccess file in your website root:

Options -Indexes

This will prevent directory listing across the website.

How to hide the WordPress login URL?

WordPress login URL can be hidden via multiple methods:

• With WP-Hardening: The WP Hardening plugin enables you to specify a custom URL for your WordPress login. The new URL can be specified under the ‘Security Fixers‘ section in the WordPress Settings. In case a caching plugin is used on the website, the new login page should be added to the list of pages that are excluded from caching.

• By whitelisting IP addresses: In this method, only the whitelisted IP addresses can access the wp-login page and every other IP will be shown an error message. This method is recommended if you have a static IP and not many people requiring access to your WordPress admin panel. All you need to do is add the following code in your .htaccess file and replace the “!^123\.123\.123\.123$”.

<IfModule mod_rewrite.c>
 RewriteEngine on
 RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
 RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
 RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
 RewriteRule ^(.*)$ - [R=403,L]
 </IfModule>

In case multiple IP addresses need to be added, just add a new line for each, as shown below:

RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteCond %{REMOTE_ADDR} !^223\.223\.223\.223$

Your login page will now only be visible to these IP addressess.

How to hide WP-content/uploads from Your WordPress?

The wp-content folder appears in the main directory of any WordPress site. It is an important part of every WordPress installation and It contains plugins, themes, uploads, and debug.logs that are provided by the user and not stored on the database.

One can easily hide a certain folder from being accessible to the public by modifying the .htaccess file a little bit. To hide the “Uploads” folder from the public:

1. Open your FTP client
2. Navigate to wp-content/uploads
3. Create a new file and name it “.htaccess” and open it
4. Copy and paste the following code into the file:
   Order Allow, Deny
   Deny from all
   Allow from all
5. Save changes.
6. To verify the changes, navigate to http://yourdomain.com/wp-content/uploads/ where you should now get a 404 error or a blank page which doesn’t show the content of your upload folder.

How to hide WP-includes from Your WordPress

It is important to restrict access to the WP-includes folder as it contains files strictly meant to run the core version of WordPress. This is the one without any plugins or themes and houses the default theme in the wp-content/theme directory. Access to the includes folder can be disabled using the following code snippet in the .htaccess file :

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/.*\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

How to hide WP-admin aka WP-login

We all know that the default URL for visiting the login page of any WordPress site is site-name/wp-admin. However, exposing your default admin login page can invite hackers to inspect it, and even figure out your credentials. Therefore, it is essential to hide your wp-admin and wp-login page to not only make it more complex for hackers to crack but also to get extra protection from the non-hacker communities.

Related Guide – Complete Guide to WordPress Security (Reduce the risk of Hacking by 90%)

1. Login to your server dashboard. Go to your public_html folder in Cpanel & open your .htaccess file in the code editor. If it is not visible to you, enable the option “Show hidden files” under visibility and then edit it.
2. Add the following code at the beginning of your .htaccess file. It might be containing some codes, but you have to paste this at the beginning of every code.

   AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist <span style="color: #00ff00;">Prakhar IP</span> address allow from <span style="color: #00ff00;">xx.xx.xx.xxx</span> # whitelist <span style="color: #00ff00;">Satyansh IP</span> address allow from <span style="color: #00ff00;">xx.xx.xx.xxx</span> </LIMIT>

3. Replace the green texts with the name and IP address of the devices (computers, laptops, smartphones) of yours. The number of users can be increased by repeating the same code i.e. #whitelist username address.

The above-listed WordPress hacks are some of the many htaccess hacks that strengthen your WordPress site.

For the comprehensive security of WordPress sites, it is advised to use Astra for WordPress Security Astra seamlessly integrates with WordPress websites and simplifies regular security checks via a simple dashboard feature.