herp a derp: I could just sieve my own access logs to see if any of the themes on any websites legitimately use /wp-includes/*.php . Thanks for telling me about the other files that shouldn’t be locked up.
display_errors good to know. some of the sites are inside cPanel/WHM, and one is in a 3rd party hosting, and these all try to keep my hands off their precious config files so I’ve been trusting them to know better than me. Maybe I can stick an “ini_set()” into wp-config.php to enforce it.
