Hardening wordpress: blocking /includes with htaccess

You ask:

How does that work ? As far as I can read it, it only specifies not to
rewrite certain urls (using -),

These files are included within the WordPress PHP scripts, so there’s no need to access them in the browser, but notice the rewrite flags.

Here’s some information on the F, L and S flags from the Apache docs:

Using the [F] flag causes the server to return a 403 Forbidden status
code to the client.

When using [F], an [L] is implied – that is, the response is returned
immediately, and no further rules are evaluated.

The [S] flag is used to skip rules that you don’t want to run. The
syntax of the skip flag is [S=N], where N signifies the number of
rules to skip (provided the RewriteRule matches). This can be thought
of as a goto statement in your rewrite ruleset.

You ask:

and then fails to actually rewrite all other requests.

no, all other HTTP requests, that do not match the security rewrites, go to the # BEGIN WordPress part

So let’s check out the number of files affected by these security rewrite rules:

http://example.com/wp-admin/includes/*                 -  62 PHP files
http://example.com/wp-includes/*.php                   - 110 PHP files
http://example.com/wp-includes/theme-compat/*          -   5 PHP files
http://example.com/wp-includes/js/tinymce/langs/*.php  -   0 PHP files

according to my WordPress 3.9.1 install.

Related Posts:

  1. Best collection of code for your .htaccess file [closed]
  2. Static raw HTML page
  3. WordPress best solution shared theme for consumers and businesses (two url’s one instaltion)
  4. WordPress On subfolder
  5. create a static folder independent with WordPress
  6. How can I stop WordPress from catching URL’s for static pages that I save on my server
  7. Default .htaccess file for WordPress?
  8. Does this .htaccess security setting really work?
  9. htaccess problem after saving Settings
  10. File and directory permissions
  11. htaccess disable WordPress rewrite rules for folder and its contents
  12. htaccess https redirect from www to non-www
  13. Name-based virtual host configuration in Apache seems to cause a “500 Internal Server Error”
  14. Isolating WordPress to a subfolder
  15. How disable SSL redirect for specific URL?
  16. Why does the header set X-Robots-Tag apply to all pages?
  17. Error:406 not acceptable
  18. .htaccess Rewrite URL WordPress
  19. A plugin changes my .htaccess file and I can’t access httpd.conf as that’s a shared server
  20. What is the role of .htaccess file in WordPress?
  21. Why does WordPress 3.0.4 keep deleting the contents of the .htaccess file?
  22. Remove File Extension for Page Outside of WordPress
  23. How can I code my plugin to safely modify .htaccess?
  24. different child theme for subdomain
  25. How do I edit the htaccess file to optimize my website?
  26. Block only external access to wp-cron.php on OpenLiteSpeed
  27. .htaccess rewrite rule puzzle
  28. Site searches by Python for non-existent assets
  29. Allow logged in users who doesn’t belong to whitelisted ips
  30. PHP files included in functions.php don’t seem to work
  31. Best way to redirect site in subdirectory to root?
  32. Install a Network under a mapped domain
  33. htaccess – RewriteRule without redirect not working
  34. browser caching not disabled after disabling in .htaccess
  35. Restrict uploaded files into a custom folder to logged in users by htaccess: looking for Nginx – not only Apache – solution
  36. Transfer to HTTPS – mixed content on main page only [closed]
  37. Htaccess redirect after changing Language URL format
  38. How can I defer these JS files?
  39. How do I test to ensure that my wp-config file is protected?
  40. Adding a SSL Certificate
  41. .htaccess Security Header Rules
  42. mod_rewrite loop, redirecting http to https on certain section of wordpress blog
  43. .htaccess in subdir gets ignored by WordPress’ own .htaccess in /
  44. blocking access to all post/tag URIs via htaccess
  45. Rules in .htaccess only if the requested URL is /wp-admin
  46. What to write in the htaccess in order to detect browser language and point accordingly?
  47. sitemap contains weird links and does not contain my pages [closed]
  48. how to redirect 301 my old search query string to wordpress search query string?
  49. Allow REST API over HTTP, the rest of the site forced to HTTPS
  50. redirect post id to post full url
  51. .htaccess RewriteCond excluding directories does not work when there is an .htaccess or php.ini in subdirectory
  52. Separate 404 page for WordPress in subfolder
  53. custom url rewrite for wordpress
  54. Weird behavior of Dashboard, must be core files
  55. 404 error Additionally 403 Forbidden error on a URL
  56. Conflict with Force SSL and Rewrite Rules
  57. Remove trailing slash after .html extension
  58. Does WP suppresses .htaccess if permalinks are disabled?
  59. I have a page using a pretty url and a mod_rewrite rule matching it. I expected it to give an error but it’s working. Why?
  60. How do I setup htaccess for 301 redirects, post Joomla to WordPress migration? [closed]
  61. Hide a subdirectory on my website hosting
  62. Can’t access WP site over WiFi network
  63. Creating a copy of a website in a subdirectory, wp-admin redirect problem
  64. How to rewrite 404 to home page using htaccess?
  65. I am new in word pres my font awesome is not allow
  66. htaccess redirect throws an error: PHP Catchable fatal error: Object of class WP_Error could not be converted to string
  67. WordPress permalinks confusion
  68. How do I reset a rewrite?
  69. VServer/Rootserver/Shared Hosting: Multiple WordPress installations each having their unique domain?
  70. How can I resolve a .htaccess internal server error setting up a WordPress multisite?
  71. Basic Auth .htaccess on wp-login, but allow logout from woocommerce
  72. Why my WordPress Site Asking for HTTP Authentication?
  73. I need to make one folder private
  74. htaccess redirects invalid request to home page not 404
  75. Force HTTPS for mapped domain pointing to wordpress domain
  76. WordPress How to rewrite URL for custom pages
  77. How to properly give WordPress its own directory
  78. WordPress permalinks is wrong. It wants me to change my htaccess file. But then site crashes
  79. How to move wordpress website from hosting account to localhost
  80. Question with .htaccess and wp-login.php prevention
  81. After changing permalink, getting 404 for one particular category
  82. WordPress RSS feed to external XML
  83. Does htaccess password keep search engines out?
  84. One WP Database outside localhost and two connections
  85. I can access subdirectory, but not files within it
  86. htaccess old php pages to new wordpress ones
  87. htaccess mod_rewrite not working
  88. different CNAME to corresponding subfolders
  89. block seacrh engines for all pages EXCEPT homepage
  90. Giving WordPress it’s own directory and using .htaccess Directory Index
  91. Allowing access to certain WordPress created pages or posts with htaccess / htpasswd
  92. Restrict download files from not generated Urls
  93. How to change wordpress news root url
  94. Problem with All in one WP Migration – only works the home page
  95. htaccess – Server Subdirectory With Different Name Than URL Subdirectory
  96. WordPress sections in htaccess kills FrontPage permissions
  97. Enable webp support Nginx+Apache reverse proxy with moss.sh [closed]
  98. How To Add CSP frame ancestors in WordPress Website? [closed]
  99. The connection to “domain” is not secure
  100. How do I modify each instance of setcookie?