WordPress security is one of the most undermined factors among novice bloggers. In an unattended WordPress installation, there are quite a few potential vulnerabilities left unattended. Most WordPress installation tutorials explain a quick and easy way to get WordPress up and running in minutes. But some important safety factors are lost. For example, browsing directories and using the username ‘admin’ are considered serious security holes. Today we are going to take a look at 10 .htaccess code snippets that will help improve the security of your WordPress blog. Before we get started, let’s take a quick look at what the htaccess file is.
What is the .htaccess file?
An htaccess file is an optional configuration file for the Apache web server to interpret, for each directory. You can store various settings in that file, such as: password protect a directory, block IP addresses, block a file or folder from public access, etc. Traditionally, the .htaccess file is present in the base WordPress installation directory. Stores the default permalink structure.
SUGGESTION: Before starting the tutorial, make sure to back up your current .htaccess file (if present) to a cloud storage service like Dropbox. This is to roll back to the last working .htaccess file, if a certain code snippet breaks your site. Let’s start.
1. Block Bad Bots
One of the best uses of the .htaccess file is its ability to prevent multiple IP addresses from accessing your site. This is useful when blocking known spammers and other suspicious or malicious access sources. The code is:
# Block one or more IP address.
# Replace IP_ADDRESS_* with the IP you want to block
<Limit GET POST>
order allow,deny
deny from IP_ADDRESS_1
deny from IP_ADDRESS_2
allow from all
</Limit>
Where IP_ADDRESS_1 is the first IP you want to prevent from accessing your site. You can add as many IP addresses as you like. No matter what user agents (browsers) use these IP addresses, they will not be able to access a single file from your server. The web server will automatically deny all access.
2. Disable directory browsing
This is one of the most undermined security flaws on a WordPress site. By default, the Apache web server enables directory browsing. This means that all files and folders within the root directory (sometimes called the home directory) of the web server are enabled and accessible by the visitor. You don’t want that because you don’t want people browsing through your media uploads or your theme or plugin files.
If I randomly select 10 personal or business websites running WordPress, 6-8 of them will not have directory browsing disabled. This allows anyone to easily smell around the folder wp-content / uploads or any other directory that does not have the file index.php default. In fact, the screenshot you see is from one of my client’s sites, before I recommended the solution. Code snippet to disable directory browsing:# Disable directory browsing
Options All -Indexes
3. Allow only selected wp-content files
As you know, the file wp-content contains most of your themes, plugins, and all media uploads. You certainly don’t want people to have unrestricted access. In addition to disabling directory search, you can also deny access to all types of files, and save some. In essence, you can selectively unblock files like JPG, PDF, DOCX, CSS, JS, etc. and deny them the rest. To do this, paste this code snippet into your .htaccess file:
# Disable access to all file types except the following
Order deny,allow
Deny from all
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
Allow from all
</Files>
You need to create a new .htaccess file with the code and paste it into the folder wp-content . Don’t put this in the base install directory, otherwise it won’t work. You can also add any file type to the list by adding a ‘|’ after ‘rar’. The list above contains the necessary files: XML, CSS, and JavaScript, common image and document formats, and finally the most commonly used file formats.
4. Restrict all access to wp-includes
The File wp-includes contains only the files that are strictly necessary to run the core version of WordPress, one without any plugins or themes. Remember, the default theme still resides in the directory wp-content / theme . Therefore, no visitor (including you) should require access to the contents of the folder wp-include . You can disable access using this following code snippet:
# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
5. Allow only selected IP addresses to access wp-admin
Folder wp-admin contains the files needed to run the WordPress dashboard. In most cases, your visitors do not need access to the WordPress dashboard, unless they want to register an account. A good security measure is to allow only a few selected IP addresses to access the folder wp-admin . You can allow the IP addresses of people who need access to the WordPress dashboard: editors, contributors, and other administrators. This code snippet only allows fixed IP addresses to access the folder wp-admin and deny access to the rest of the world.
# Limit logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 302.143.54.102
allow from IP_ADDRESS_2
</Limit>
Make sure to create a new .htaccess file and paste it into the wp-admin folder and not the base installation directory. If it’s the latter, no one but you will be able to browse your site, not even search engines! You certainly don’t want that. A couple of disadvantages of this measure are the following:
- If your site allows or promotes registration of new users , it would be almost impossible to keep track of the number of users. For example, on WPExplorer, if you want to download our amazing free themes, you need to register.
- people with dynamic IP addresses (mostly ADSL broadband users using PPP or PPPoE protocols) change their IPs, every time they log out and log in to their ISP. Certainly it wouldn’t be practical to keep track of all these IPs and add them to the htaccess file.
- Mobile broadband: now Whether you’re on 3G or 4G, your IP address depends on the current cell tower you’re connected to. Let’s say you’re traveling – your IP will constantly change with every couple of miles you move from origin. Again, keeping track of the htaccess file is next to impossible.
- Public Wi-Fi hotspots: the use of credentials when connecting to the Internet via a public Wi-Fi hotspot is a big no-no ,since a child with small software can extract all the characters you type. Not to mention that each Wi-Fi access point will have a unique IP address.
Fortunately, all of these disadvantages (except the first one) can be corrected by using a VPN. If you configure your VPN to connect with a single IP address, you can just add it to your htaccess file and all your problems will be solved.
6. Protect wp-config.php and .htaccess from everyone
The file wp-config.php contains the most sensitive login credentials for your WordPress site. It contains the database name and access credentials and various other critical data among other settings. Under no circumstances do you want other people to search this file. And of course you want to disable public access to the source of all this security: the file itself .htaccess . You can disable access to wp-config.php with this following code:
# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>
To deny access to all htaccess files (remember some may reside in wp-admin and other folders), use this code snippet:
# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
7. Deny image hotlinking
One of the coolest .htaccess file hacks, this one sends content crawlers running with their tails between their legs. When someone uses your site image, your bandwidth is consumed and most of the time, you are not even credited. This code snippet eliminates that problem and sends this image when a hot link is detected.
# Prevent image hotlinking script. Replace last URL with any image link you want.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourotherwebsite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/MlQAH71.jpg [NC,R,L]
8. Enable browser caching
Also know as client-side caching ,This .htaccess hack enables the recommended browser caching options for your WordPress site. You can also use it in other projects – HTML sites, etc.
# Setup browser caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 2 days"
</IfModule>
9. Redirect to a Maintenance page
When migrating websites or performing any maintenance, it is always recommended to create a static “down for maintenance” HTML file to inform your visitors that the website is undergoing an upgrade or maintenance operation. Simply create a maintenance.html file (or any other file name) and upload it to the base WordPress installation directory. Paste the following code snippet into your .htaccess file. Once the operation is complete, be sure to delete or comment out these lines to get back to the general operation. You can comment by adding a ‘#’ at the beginning of each line.
# Redirect all traffic to maintenance.html file
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L]
10. Custom error pages
You can also use the .htaccess file to set up user-friendly custom error pages for errors like 403, 404, and 500. Once you’ve prepared your error page, say error.html, upload it to your base WordPress installation directory. Then add the following code snippet to your .htaccess file to enable the custom error page:
# Custom error page for error 403, 404 and 500
ErrorDocument 404 /error.html
ErrorDocument 403 /error.html
ErrorDocument 500 /error.html
conclusion:
Today we have learned some of the best htaccess hacks to harden your WordPress site. I suggest you test each module one by one while backing up the .htaccess file before and after testing each module. This is because the .htaccess file is very critical. A missing or misplaced ‘#’ character ” could destroy the integrity of your site. If you access your WordPress dashboard frequently on the go, it is recommended not to enable selective IPs on your folder wp-admin .