The question:
I am tweaking WordPress to understand it better, play with it. For personal purposes.
But loading custom files from the /wp-includes folder won’t work.
I tried to add a info.php file under /wp-includes containing phpinfo() and when I try to access it in the browser via example.com/wp-includes/info.php, the server returns error 503.
The folder permissions are set to 775 and the file permissions to 644.
Important note: If I rename the wp-includes folder to something else, like wp-include, then it works!
I contacted the hosting support to ask if they added some kind of protection but they say they did not, they say: “It’s how WordPress is designed, it doesn’t allow to modify files”.
There isn’t any .htaccess file in that folder. And the root htaccess file contains the following:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
# Protect WP Config
<Files wp-config.php>
order allow,deny
deny from all
</Files>
How can I get to the reason for that 503 error. A PHP file with just plain text won’t work either.
The Solutions:
Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.
Method 1
Important note: If I rename the wp-includes folder to something else, like wp-include, then it works!
Nothing in WordPress specifically prevents what you did, but, what you did would be considered a security breach by most security regimes. It would also be destroyed the moment an automatic update occurred.
So your request could have been blocked by:
- firewalls
- security plugins
- Higher level Apache configs
- data centre level security
- PHP security extensions
- CDN rules
And many other things.
wp-includes does not contain PHP files that can be directly accessed from the browser, so it’s a safe assumption that if such a file is in that folder, it must be malicious.
Likewise, a common security feature is to prevent execution of PHP in the uploads folder.
If you are looking for a place to put a file that contains phpinfo(), wp-includes is not the place to put it. You could use a file in the root folder instead, or a page/theme template. You could also create a new sub-folder for your own testing of generic PHP files.
Unlike some other frameworks and CMS, WordPress is meant to be modified using the plugin/theme/hooks/filters system, with some more obscure mechanisms such as drop ins. The one thing that’s consistent is that you don’t modify the files of a standard WordPress core folder.
If you want to contribute to core, you should instead be using the develop/source version of WordPress from GitHub combined with a local dev environment:
https://github.com/wordpress/wordpress-develop
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0