Side effects of disallowing *.php requests in production environment?

My understanding:
They are going to disallow *.php access from external HTTP requests.

It should not cause a problem.
It’s a common security measure to disallow extension access, and if you are using custom permalink structures, you can get around most of the needs to do so.

Since quite a bit of your interactions with WordPress will be in the administration area, you shouldn’t run into any problems with core features since you’ve sandboxed that somewhere else.

BUT, any plugins and themes that have made the assumption that they would be able to call AJAX via a *.php URL, or POST/GET from such a URL, may break. So using extensions may suck.

You may need to take more time in reviewing plugins and themes before saying “this will just work”. By doing this, you will create more work for yourself in the long run for the trade of security.


Just to be sure, I would setup a default WordPress install, then setup custom permalinks…then leave it up for a bit and watch the access logs.

You can easily see how many hits are going to break because they directly hit *.php extensions.

A smoother way of doing this…might be to simply 301 people to mysite.com/whatevertheyweretryingtogetto.php -> mysite.com/whatevertheyweretryingtogetto

Just chop it off.

error code: 523