Important note: If I rename the wp-includes folder to something else, like wp-include, then it works!
Nothing in WordPress specifically prevents what you did, but, what you did would be considered a security breach by most security regimes. It would also be destroyed the moment an automatic update occurred.
So your request could have been blocked by:
- firewalls
- security plugins
- Higher level Apache configs
- data centre level security
- PHP security extensions
- CDN rules
And many other things.
wp-includes
does not contain PHP files that can be directly accessed from the browser, so it’s a safe assumption that if such a file is in that folder, it must be malicious.
Likewise, a common security feature is to prevent execution of PHP in the uploads folder.
If you are looking for a place to put a file that contains phpinfo()
, wp-includes
is not the place to put it. You could use a file in the root folder instead, or a page/theme template. You could also create a new sub-folder for your own testing of generic PHP files.
Unlike some other frameworks and CMS, WordPress is meant to be modified using the plugin/theme/hooks/filters system, with some more obscure mechanisms such as drop ins. The one thing that’s consistent is that you don’t modify the files of a standard WordPress core folder.
If you want to contribute to core, you should instead be using the develop/source version of WordPress from GitHub combined with a local dev environment: