Again using htaccess
, we'd best restrict access to content from the remaining core WordPress directories, wp-content
and wp-includes
.
Create an htaccess
file in each folder, pasting this rule within:
Order Allow,Deny Deny from all <Files ~ "\.(gif|jpe?g|png|css|js|xml)$"> Allow from all </Files>
That allows access to images, javascripts, stylesheets, and XML, denying everything else. Sometimes, though, this is too restrictive so let's consider some workarounds.
Let's say you use the Dashboard's flash uploader. You would need also to accept swf
files, adding that extension to the <Files etc>
directive like this:
<Files ~ "\.(gif|jpe?g|png|css|js|xml|swf)$">
Or if you have issues with an included plugin, say the Tiny WYSIWYG editor, add a further rule to the file:
<Files ~ "js/tinymce/*.$"> Allow from all </Files>