There are certain areas of your website code where scripts are generally not meant to be executed by users. One of these areas is the wp-includes folder and one of the easiest ways of preventing unwanted access is by setting rewrite rules using mod_rewrite within your website's .htaccess file.
Note: WordPress can overwrite anything between # BEGIN WordPress and # END WordPress tags in the .htaccess file. To ensure this code doesn't get overwritten please make sure to paste it outside of these tags.
It's also important to note that this code might cause issues in a Multisite environment - some of the lines below may prevent ms-files.php from posting pictures. To address this just remove RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] from the code.
# Block the include-only files. <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule> # BEGIN WordPress
In most cases, wp-uploads is the only directory that will need to be writable by the web server. This is the section where all of the files are uploaded. You can further strengthen the wp-uploads directory by blocking php scripts from being executed by adding .htaccess to the root of your /uploads directory:
# Kill PHP Execution <Files ~ "\.ph(?:p?|t|tml)$"> deny from all </Files>
Note: Certain themes require php executables within this folder and running this setup may break these themes. In case that happens all you need to do is remove the code above from .htaccess