WordPress by default doesn’t protect its wp-includes and wp-content folders. While WordPress doesn’t do stupid things in most of these files, they still don’t do a simple defined check to ensure we came from an a privileged file. SMF does this and it prevents direct loading of any of the Source files.
To get around this is not as simple as it should be. To start with, I added a “.htaccess” to my “wp-includes” folder with the following contents.
Deny From All
However, that broke the built in rich editor in WordPress. So, now to edit “wp-admin/includes/mainifest.php” and change the following.
echo “<script type=’text/javascript’ src=’$baseurl/wp-tinymce.php?c=$zip&$version’></script>\n”;
All I did was change .php to .js since after reading the directory I came to figure out the .php version is just a compressed version. I removed the “$zip&” part as well since it didn’t make sense to keep it anymore. the “c” argument just tells it whether to compress or not. So this is my resulting change
echo “<script type=’text/javascript’ src=’$baseurl/wp-tinymce.js?$version’></script>\n”;
However, since I was loading some content from my includes folder now, a tweak needed done to my “.htaccess”
<Files *.php>
Order Deny,Allow
Deny from all
Allow from localhost
</Files>
Simply put, that will deny access to all php files in my “wp-includes” folder. That worked and a simple duplication of the file to my “wp-content” folder produced the same results. However, I still wasn’t done. A simple .htaccess password protected directory for my “wp-admin’ would offer a very basic block to help prevent unauthorized access. Although it isn’t using a very strong password or username on it, it still prevents the fly-by attacks.
AuthType Basic
AuthName “Restricted Access”
AuthUserFile “/path/outside/webroot/wordpress-admin.access”
Require valid-user
Now I just simply needed to populate that file. Since I have apache installed on my laptop, I simply opened Terminal and ran “htpasswd -n username” and gave it a password at the prompts. Then I simply just copied the line from the window to my .access file and saved. Everything works and my entire wp-admin folder is protected from unauthorized web access.
However, “wp-login.php” contains three calls to css files in the wp-admin folder. A “login.css”, “colors-fresh.css” and “logo-login.gif”. Simply copying those three files to my theme is half the problem resolved. Then just modifying wp-login.php to directly call those files rather than the functions that previously called them. “login.css” needs to be modified and the path to the logo-login.gif file needed adjusted.