Prevent direct access to PHP files which are not in the wp-admin directory #79
This is a combination of security and performance.
From a security POV, white listing known "good" file types, prevents attacks trying to exploit security issues found in core PHP files, or accidental programing language file that by mistake was added to a plugin and might be executable on the server.
This also will enable restricting the check for file existence to only those types instead of checking it for all URLs as done in the WordPress htaccess.
wp-admin should in addition allow php file execution.
The uploads directory might need a more complex setup as we want to enable downloads of unsafe files without executing them.
The text was updated successfully, but these errors were encountered: