Protect the security risk of your site’s /wp-content directory quickly and easily.
This is considered an advanced security filter, use it at your own risk. Please test your site completely before walking away. You have been politely warned.
WordPress holds all your site’s media files in wp-content directory. Although they are an asset you want search engines to index. But, “/wp-content” is the location of themes and plugins too. You don’t want to allow access to those sensitive .php files or allow malware to be be accessed if infected.
Use your FTP client and create a file without a name and give it the extension, .htaccess. Now upload it to your /wp-content directory. This code will allow access to images, CSS, java-script and XML files, but deny it for any other type, including malicious scripts such as php scripts (often found in untrusted plugins).
Notice: Check your web site’s operation after this simple modification. We have seen some 3rd party themes/plugins require access.
Using your browsers developer features, you can inspect to see if you are blocking any content that should be allowed. In the example below, you will notice that I am allowing wp-spamfree to pass my security filter..
order deny,allow deny from all allow from all