Defender WordPress Security, Malware Detection, and Firewall to block access to wp-includes: Internal error

Defender WordPress Security, Malware Detection, and Firewall to block access to wp-includes to avoid an internal error 500.

After installed a WP plugin called Defender and configured, we found out that it provoking access denied to wp-includes:


The script from “https://yourdomain.com/wp-includes/js/thickbox/thickbox.js?ver=3.1-20121105” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/dist/a11y.min.js?ver=2.5.1” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/wp-sanitize.min.js?ver=5.3.2” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/wp-auth-check.min.js?ver=5.3.2” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/jquery/ui/widget.min.js?ver=1.11.4” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/heartbeat.min.js?ver=5.3.2” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/jquery/ui/mouse.min.js?ver=1.11.4” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/jquery/ui/core.min.js?ver=1.11.4” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/jquery/ui/draggable.min.js?ver=1.11.4” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/jquery/ui/slider.min.js?ver=1.11.4” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/jquery/jquery.ui.touch-punch.js?ver=0.2.2” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/backbone.min.js?ver=1.4.0” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.
plugins.php
The script from “https://yourdomain.com/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=7.4.4” was loaded even though its MIME type (“text/html”) is not a valid JavaScript MIME type.

1- Solution check inside the folder wp-includes for .htaccess file that is added by WP defender, you delete this file and try configure again o modify this file here is an example:


deny from allallow from allallow from all
## WP Defender - Protect PHP Executed ##

Order allow,deny
Deny from all


Allow from all


Allow from all

## WP Defender - End ##