Hardening wp-content and wp-includes
Again using htaccess, we'd best restrict access to content from the remaining core WordPress directories, wp-content and wp-includes.
Create an htaccess file in each folder, pasting this rule within:
Order Allow,Deny Deny from all <Files ~ "\.(gif|jpe?g|png|css|js|xml)$"> Allow from all </Files>
That allows access to images, javascripts, stylesheets, and XML, denying everything else. Sometimes, though, this is too restrictive so let's consider some workarounds.
Extra rules for wp-include's htaccess
Let's say you use the Dashboard's flash uploader. You would need also to accept swf files, adding that extension to the <Files etc> directive like this:
<Files ~ "\.(gif|jpe?g|png|css|js|xml|swf)$">
Or if you have issues with an included plugin, say the Tiny WYSIWYG editor, add a further rule to the file:
<Files ~ "js/tinymce/*.$"> Allow from all </Files>
Extra rules for wp-content's htaccess
In this file, you can counter any problems...
