The PHP files in the wp-includes
directory will do nothing when accessed directly. They are designed to be include()
‘d in an existing PHP script, such as on the front-end or in the dashboard.
Your Options -Indexes
entry in the .htaccess
file simply prevents a list of the files in a directory when no index.php
is present. It’s good practice to use this on a live server. I’m not entirely sure what the second line does; you should most likely remove it.
If you’re especially concerned about people attacking your server, you can prevent access to the wp-includes
directory completely. To do this, create a .htaccess
file inside the wp-includes
folder with the following content:
Deny from all