I am tweaking WordPress to understand it better, play with it. For personal purposes.
But loading custom files from the /wp-includes folder won’t work.
I tried to add a info.php file under /wp-includes containing phpinfo() and when I try to access it in the browser via example.com/wp-includes/info.php, the server returns error 503.
The folder permissions are set to 775 and the file permissions to 644.
Important note: If I rename the wp-includes folder to something else, like wp-include, then it works!
I contacted the hosting support to ask if they added some kind of protection but they say they did not, they say: “It’s how WordPress is designed, it doesn’t allow to modify files”.
There isn’t any .htaccess file in that folder. And the root htaccess file contains the following:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# Protect WP Config
<Files wp-config.php>
order allow,deny
deny from all
</Files>
How can I get to the reason for that 503 error. A PHP file with just plain text won’t work either.
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Important note: If I rename the wp-includes folder to something else, like wp-include, then it works!
Nothing in WordPress specifically prevents what you did, but, what you did would be considered a security breach by most security regimes. It would also be destroyed the moment an automatic update occurred.
So your request could have been blocked by:
- firewalls
- security plugins
- Higher level Apache configs
- data centre level security
- PHP security extensions
- CDN rules
And many other things.
wp-includes does not contain PHP files that can be directly accessed from the browser, so it’s a safe assumption that if such a file is in that folder, it must be malicious.
Likewise, a common security feature is to prevent execution of PHP in the uploads folder.
If you are looking for a place to put a file that contains phpinfo(), wp-includes is not the place to put it. You could use a file in the root folder instead, or a page/theme template. You could also create a new sub-folder for your own testing of generic PHP files.
Unlike some other frameworks and CMS, WordPress is meant to be modified using the plugin/theme/hooks/filters system, with some more obscure mechanisms such as drop ins. The one thing that’s consistent is that you don’t modify the files of a standard WordPress core folder.
If you want to contribute to core, you should instead be using the develop/source version of WordPress from GitHub combined with a local dev environment:
https://github.com/wordpress/wordpress-develop
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0