blocking access to wp-content (or other core files)

[ZappoMan]

So here's a question... it may be a stupid question... I'm not sure.

I was playing around on my dev environment, and I noticed that at least in the standard install... you could (if you knew the URL) type in something like this URL into your web browser..

http://domain.com/wp-content/db.php

And, at least in my setup, which I am pretty certain is a basic as intended setup. Apache attempts to load and serve up this file. Of course, since these files assume that they are included by other files, and aren't really designed to be loaded directly, they will basically get PHP errors and die. In a standard production setup, that means an empty blank page. In a debug setup you get the errors.

Ok, so here are my questions...

Is this a security hole? It seems like it is to me?
What do you do to prevent this?

[Luke]

Not really a hole, as "most" files just contain functions or classes.

However, there are on occasion some files which have things that aren't encased in a function. Typically though, they don't do anything either.

The majority of concerns with WP, or any other system are exploits through the query string.

If you're uber paranoid, you can put a check for ABSPATH being defined at the top (or shortly thereafter) of any file to keep it from being loaded externally.

ABSPATH being defined in the config file, and being loaded before anything else, so if it's not there, the file dies.

For me, when I write files, an ABSPATH check is the FIRST thing I do, and if its not defined I kill any execution.

[ZappoMan]

Yes, I had thought of that solution... but I'd rather not modify core files.

In some sense this gets back to that who issue of "why advertise" what system you're running as it opens the door to people attempting "known" exploits. Of course you should lock down the exploits etc. etc..

Anyway...

Would it make sense to block it at an .htaccess or httpd.conf level?

I'm sort of trying to wrap my head around when should a user be able to access these files via http and when should the be only included.

I haven't really thought it through that much... but I know I don't want to be in the core file changing business as it's such a pain in the ass to upgrade... I've learned my lesson about that!

[Luke]

You could probably cut down calling files directly that are in wp-includes with a rewrite rule, yes. But you'd have to redirect them to a page somewhere.

There may be a plugin or information out there on it already, in fact.