Sitepoint Memebers,
What is the usage difference between
RewriteRule ^(wp-includes)\/.$ ./ [NC,R=301,L]
and
RewriteRule ^(wp-includes)/.$ ./ [NC,R=301,L]
If so, what different purposes does each serve?
Is the first an error of the second?
Thanks,
Chris
The first version is written by someone who doesn’t know you don’t have to escape slashes in RewriteRules and the second one is written by someone who does.
Both rules do the same thing: redirect away from the wp-includes directory; basically denying access to it.
Which could IMO be better solved by putting the following .htaccess in the wp-includes directory
deny from all
but that may be just me
ScallioXTX,
I like your way.
How about we take care of securing all three main wordpress folders in one place
In the wp-amin folder in its htaccess file I have:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from w.x.y.z
allow from (other wanted ip addresses)
[Three tips to protect your WordPress installation](http://www.mattcutts.com/blog/three-tips-to-protect-your-wordpress-installation/)
In wp-content folder:
I don’t really have any protection here, not sure what can be done.
In the wp-includes folder in its htaccess file
I have this list of bots:
Deny from msnbot msnbot-media googlebot googlebot-image googlebot-mobile google-adsense slurp teoma yahoo-mmcrawler ask appie robozilla gigabot scrubby twiceler webcrawler scooter nazilla acoon abachobot architextspider w3c wdg scoutjet mantraagent
I guess I should just have:
deny from all
but over a year ago when I put this in I didn’t put deny from all because I was worried it would block browsers. From what you say just deny from all is all that’s needed.
Thanks for the help Scallio,
Chris
It does block browsers but you don’t want people directly accessing the content of that folder any more than you want bots accessing it. The only thing that needs access to the wp-includes folder is PHP and there is no .htaccess command that blocks that and PHP can even access folders not publicly accessible on the web.
Felgall,
Is there any protection for wp-content? I wouldn’t thinkso, other than 444ing the files, which you have to undo and rdo evety time you want to change those files (of your website).
Thanks,
Chris
I geuss that would be placing
options -indexes
in the htaccess file.
I don’t have this code in the htaccess file yet when I go to
http://www.mysite.com/wp-content/
or
http://www.mysite.com/wp-content/plugins/
the browser still shows a blank page. Great, but not sure what’s protecting my wp-content. I don’t have any plugins, maybe that’s it.
Thanks,
Chris
Or the host your site is hosted on has Options -Indexes in it’s Apache server config.
Most hosts do 
ScallioXTX,
No kidding. Thta’s great because I was reading somewhere a while back that options indexes and a similar line can cause some problem, can’t remember what it is, so it’s better that the webhost handles it.
Would you know of a way or website that looks for security weaknesses in websites?
Thanks,
Chris
No, I don’t know of any such tools or website. Sorry.
ScallioXTX,
That must be it.
Felgall,
On what you were saying, “It does block browsers but you don’t want people directly …”
I see now. It gets confusing sometimes; some you want sometimes, others you want other times.
Thanks to both of you for your help,
Chris