Initial observations on the Apache code for part 1 Securing wp-includes:
- In a standard WP install, paths
wp-admin/includes/andwp-includes/exist, but pathswp-includes/js/tinymce/langs/andwp-includes/theme-compat/do not. - When I look up
RewriteRuleandRewriteFlags, I think these lines…
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
… are saying ‘If wp-includes doesn’t exist then skip the next three lines’.
So, given these observations, I think this is the Caddy code replacement for a default WP install:
@forbidden {
path /wp-admin/includes/*
path /wp-includes/*
}
respond @forbidden 403
Or would I use error amd handle_error instead of respond?
As for part II, Securing wp-config.php:
If wp-config.php isn’t moved outside the webroot, then add this to the matcher above:
path /wp-config.php
However, if wp-config.php is moved above the webroot, I’m not so sure?