e.g.
curl -I .php
200 OK
The wp-config.php is not public facing file, since it currently just return blank page, so why not return 404 instead. (so will not be cached by Google)
Also, for file such as readme.html, it should be hidden as it disclose your wordpress version, e.g. .html
So, currently I have selected several files and block in the web server level, e.g.
wp-config.php
wp-config-sample.php
license.txt
readme.html
..
But as there are so many files, especially under the wp-admin and wp-include folders, are there any better way to do it to improve security?
e.g.
curl -I http://ma.tt/blog/wp-config.php
200 OK
The wp-config.php is not public facing file, since it currently just return blank page, so why not return 404 instead. (so will not be cached by Google)
Also, for file such as readme.html, it should be hidden as it disclose your wordpress version, e.g. http://ma.tt/blog/readme.html
So, currently I have selected several files and block in the web server level, e.g.
wp-config.php
wp-config-sample.php
license.txt
readme.html
..
But as there are so many files, especially under the wp-admin and wp-include folders, are there any better way to do it to improve security?
3 Answers
Reset to default 6I wouldn't bother with the readme file as probably no hacker bothers to check your WP version before trying to hack into the site. Will not bother with anything in /wp-includes and /wp-admin because I trust the core team to make that code secure in the default installation, and those file don't contain any information which is specific to my site.
The files to protect are wp-config.php, because it contains DB access details and the /wp-content directory because theme and plugins developers are not very good at security. for wp-config just deny access in your .htaccess
<files wp-config.php>
order allow,deny
deny from all
</files>
for /wp-content/plugins and /wp-content/theme deny access for anything which is not animage,js or css file by adding an .htaccess there with the following content. If a plugin or theme does not work with this configuration they probably don't follow WP coding guidelines and it might be better not to use them.
<Files ^(*.jpeg|*.jpg|*.png|*.gif|*.js|*.css)>
order deny,allow
deny from all
</Files>
for /wp-content/uploads you can't realy deny access as you don't know which type of files will be uploaded there, so the best thing to do there is to simply not to allow the execution of php,perl,pyton at that directories and serve them as plain text with the following rules
<FilesMatch "\.(php|pl|py|jsp|asp|htm|shtml|sh|cgi)$">
ForceType text/plain
</FilesMatch>
Once you are satisfied, you should probably combine everything to one .htaccess at root for better performance
First a correction, if you block the files under wp-admin, you won't be able to use the wordpress admin panel. Though you can block the files under "wp-admin/includes" folder
Now the solution:-
You don't need to type all the names, you can use regular expressions to block a pattern of files for ex. it's easy to write a regular expression to block all the files which reside in the wp-includes folder.
If you don't have other files in the same wordpress directory, then instead of blocking specific files, you can go through to the whitelist approach i.e. allow only specific files. Specifically you'll allow only the files which reside inside the wp-admin & wp-content folder & of course the main wordpress file(index.php)
If your themes & plugins don't use any dynamically generated files, you can just block all php files from direct access except those in wp-admin & index.php
Whatever approach you take, just remember to only block php files & not anything else, otherwise the browser won't be able to load all the admin panel's CSS & the javascript.
Short Answer:
You are wasting time - you won't be able to increase security. Read excellent answer:
https://wordpress.stackexchange/a/198441/33667
wp-config.php, for example, is how you connect to your database. – David Gard Commented Nov 22, 2012 at 15:48