Why can I not execute php files under the wp-includes folder?

The question:

I am tweaking WordPress to understand it better, play with it. For personal purposes.

But loading custom files from the /wp-includes folder won’t work.

I tried to add a info.php file under /wp-includes containing phpinfo() and when I try to access it in the browser via example.com/wp-includes/info.php, the server returns error 503.

The folder permissions are set to 775 and the file permissions to 644.

Important note: If I rename the wp-includes folder to something else, like wp-include, then it works!

I contacted the hosting support to ask if they added some kind of protection but they say they did not, they say: “It’s how WordPress is designed, it doesn’t allow to modify files”.

There isn’t any .htaccess file in that folder. And the root htaccess file contains the following:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# Protect WP Config
<Files wp-config.php>
    order allow,deny
    deny from all
</Files>

How can I get to the reason for that 503 error. A PHP file with just plain text won’t work either.

The Solutions:

Below are the methods you can try. The first solution is probably the best. Try others if the first one doesn’t work. Senior developers aren’t just copying/pasting – they read the methods carefully & apply them wisely to each case.

Method 1

Important note: If I rename the wp-includes folder to something else, like wp-include, then it works!

Nothing in WordPress specifically prevents what you did, but, what you did would be considered a security breach by most security regimes. It would also be destroyed the moment an automatic update occurred.

So your request could have been blocked by:

  • firewalls
  • security plugins
  • Higher level Apache configs
  • data centre level security
  • PHP security extensions
  • CDN rules

And many other things.

wp-includes does not contain PHP files that can be directly accessed from the browser, so it’s a safe assumption that if such a file is in that folder, it must be malicious.

Likewise, a common security feature is to prevent execution of PHP in the uploads folder.

If you are looking for a place to put a file that contains phpinfo(), wp-includes is not the place to put it. You could use a file in the root folder instead, or a page/theme template. You could also create a new sub-folder for your own testing of generic PHP files.

Unlike some other frameworks and CMS, WordPress is meant to be modified using the plugin/theme/hooks/filters system, with some more obscure mechanisms such as drop ins. The one thing that’s consistent is that you don’t modify the files of a standard WordPress core folder.


If you want to contribute to core, you should instead be using the develop/source version of WordPress from GitHub combined with a local dev environment:

https://github.com/wordpress/wordpress-develop


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Comment