Jethost’s Help Center


Protect the wp-includes Directory with JetHost Total Care

The wp-includes directory is one of the core folders that powers WordPress behind the scenes. It contains essential files that control how your site runs. Unfortunately, it’s also a common target for attacks. With the JetHost Total Care protect wp-includes setting, you can block public access to this directory and reduce your exposure to exploits.

Why You Might Want to Protect the wp-includes Directory

Most websites don’t need to serve anything directly from wp-includes. If someone tries to access files inside it, they’re either scanning your site or trying to exploit a vulnerability.

By protecting this directory, you can:

  • Block direct access to sensitive core files
  • Prevent URL-based attacks aimed at known script locations
  • Reduce the attack surface without changing how WordPress works

In many cases, attackers look for open core folders as their first step. Locking this one down stops that path early.

What Is wp-includes and Why It Matters

The wp-includes directory holds some of WordPress’s core PHP libraries, functions, and scripts. These files aren’t meant to be accessed directly by users or bots. They’re loaded internally by WordPress when needed.

If left unprotected, this folder can expose system files or allow someone to run code in unintended ways especially on misconfigured servers.

How to Protect wp-includes with JetHost Total Care

To control autosave using JetHost Total Care:

1. Log in to your WordPress dashboard.
2. Open the JetHost Total Care section from the sidebar.
3. In the tab Security, look for the setting labeled Protect wp-includes Directory.
4. Toggle the switch to activate the setting.

JetHost Total Care protect wp-includes

JetHost Total Care saves the change automatically when you toggle the setting.

JetHost Total Care Security setting updated

What Happens After You Apply the Setting

After enabling protection, JetHost Total Care blocks direct access to any files inside wp-includes. This won’t affect how WordPress functions because it still loads those files internally.

However, if someone tries to open them directly via a browser or bot, the request will be blocked. This helps filter out suspicious activity without touching your theme or plugin files.

JetHost Experts Tip

Even if your host has basic protections in place, it’s worth adding this extra layer. Think of it as closing a back door that you never use but someone else might try.

Need More Help?

The JetHost Total Care protect wp-includes setting quietly blocks one of the most commonly scanned parts of any WordPress site. It’s fast, invisible to users, and works well with your other security settings. Check out more WordPress security tutorials to keep your site clean, stable, and under control.

Back to help