Protecting wp-includes Directory from Direct Access and Malware

The wp-includes directory contains WordPress's core functionality—the libraries, classes, and functions that power your site. Protecting this directory prevents attackers from exploiting core file vulnerabilities or injecting malicious code.

What's in wp-includes?

The wp-includes directory contains approximately 1,400+ PHP files that provide:

• Database functions: wp-db.php and related files
• User management: Authentication and capabilities
• Media handling: Image processing, uploads
• Plugin/theme APIs: Hooks, filters, actions
• REST API: WordPress REST API implementation
• JavaScript libraries: jQuery, React, and others

Why Protect wp-includes?

Prevent Direct Exploitation

Some wp-includes files have had vulnerabilities in the past. Blocking direct access prevents attackers from exploiting these files directly.

Hide WordPress Version

Files like version.php reveal your exact WordPress version. Attackers use this to target version-specific vulnerabilities.

Detect Malware Injections

If malware is injected into core files, direct access can trigger the malicious code. Protection limits this attack surface.

Protection Methods

Method 1: Block PHP Direct Access

Add this to your root .htaccess file:

# Block direct access to wp-includes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Method 2: Block All Direct PHP Access

Create wp-includes/.htaccess:

# Deny direct PHP access
<Files *.php>
Order allow,deny
Deny from all
</Files>

# Allow specific required files
<Files ms-files.php>
Allow from all
</Files>

Caution: This method can break some functionality. Test thoroughly.

Method 3: nginx Configuration

# Block wp-includes PHP direct access
location ~* /wp-includes/.*.php$ {
    internal;
}

# Alternative: deny all
location ~* ^/wp-includes/.*.php$ {
    deny all;
}

Method 4: WP Folder Shield (Recommended)

WP Folder Shield provides intelligent wp-includes protection that:

• Blocks direct PHP access to sensitive files
• Allows legitimate WordPress requests through
• Maintains compatibility with all WordPress features
• Includes proper exceptions for required files

Core File Integrity Monitoring

Beyond blocking access, monitoring wp-includes files for changes is crucial:

What to Monitor

• Any new PHP files (should never appear)
• Changes to existing files (except during updates)
• File permissions changes
• Hidden files or directories

WP Folder Shield Integrity Checking

WP Folder Shield compares your wp-includes files against official WordPress checksums:

• Downloads official checksum list from WordPress.org
• Compares each file hash
• Alerts on any modifications
• Identifies added or removed files

Handling Compromised wp-includes

If malware is found in wp-includes:

1. Don't panic - The files can be replaced
2. Backup - Save current state for forensics
3. Download fresh WordPress - Get clean files from WordPress.org
4. Replace entire wp-includes - Delete and replace the folder
5. Verify checksums - Confirm all files match official versions
6. Find entry point - Investigate how malware got in

Best Practices

Never Modify Core Files

Never edit wp-includes files directly. All customizations should be in themes or plugins. Modified core files:

• Get overwritten during updates
• Make malware detection difficult
• Indicate possible compromise

Keep WordPress Updated

Core updates include security fixes. Apply them promptly to patch vulnerabilities in wp-includes files.

Monitor for Changes

Enable file integrity monitoring to catch unauthorized changes immediately.

WP Folder Shield provides comprehensive wp-includes protection including direct access blocking and integrity verification. Protect your WordPress core today.