WordPress security is one of the most compromised factors among novice bloggers. In an unsupervised WordPress installation, there are quite a few potential vulnerabilities left unattended. Most WordPress installation tutorials explain a quick and easy way to deploy WordPress in minutes. But they missed some important safety factors. For example, directory browsing and the use of the “admin” username are considered serious security vulnerabilities. Today we will take a look at 10 .htaccess code snippets that will help improve the security of your WordPress blog. Before we start, let us quickly understand what an htaccess file is.

What is the .htaccess file?

The htaccess file is an optional configuration file interpreted by the Apache web server for each directory. You can store various settings in this file, such as: password-protected directories, blocking IP, blocking publicly accessible files or folders, etc. Traditionally, .htaccess files exist in the base WordPress installation directory. It stores the permanent link structure by default.

hint: Before starting this tutorial, make sure to back up the current .htaccess file (if it exists) in a cloud storage service such as Dropbox. This is to roll back to the last known working .htaccess file, if a certain code snippet breaks your site. let us begin.

1. Stop bad robots

Bad robot

One of the best uses of the .htaccess file is its ability to deny access to your site from multiple IP addresses. This is very useful in blocking known spammers and other sources of suspicious or malicious access. The code is:

# Block one or more IP address.
# Replace IP_ADDRESS_* with the IP you want to block

<Limit GET POST>
order allow,deny
deny from IP_ADDRESS_1
deny from IP_ADDRESS_2
allow from all

Where IP_ADDRESS_1 is the first IP you want to block access to your site. You can add any number of IPs. No matter what user agent (browser) 0 these IP addresses use, they will not be able to access individual files from your server. The web server will automatically deny all access.

2. Disable directory browsing

wordpress htaccess hack disable directory browsing

This is one of the most compromised security vulnerabilities in WordPress sites. By default, the Apache web server enables directory browsing. This means that all files and folders in the root directory (sometimes called the home directory) of the web server can be registered and accessed by visitors. You don’t want this because you don’t want people to browse your media uploads or your theme or plugin files.

If I randomly select 10 personal or commercial websites running WordPress, 6-8 of them will not disable directory browsing.This allows anyone Sniff around easily wp-content/upload Folder or any other directory with no default value Index.php document. In fact, before I recommend the fix, the screenshot you see came from a site of my client. Code snippet to disable directory browsing:

# Disable directory browsing
Options All -Indexes

3. Only allow selected files from wp-content

Shutter stock_108312266

As you know wp-content The folder contains the most themes, plugins and all media uploads. You certainly don’t want people to have unrestricted access to it. In addition to disabling directory browsing, you can also deny access to all file types and save some. Essentially, you can selectively unblock JPG, PDF, DOCX, CSS, JS and other files and reject other files. To do this, please paste this code snippet into your .htaccess file:

# Disable access to all file types except the following
Order deny,allow
Deny from all
<Files ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
Allow from all

You must use the code to create a new .htaccess file and paste it into wp-content folder. Don’t put it in the base installation directory-otherwise it won’t work. You can also add any file type to the list by appending “|” after “rar”. The above list contains the necessary files-XML, CSS and JavaScript, common image and document formats, and finally the most commonly used archive formats.

4. Restrict all access to wp-includes

Shutter stock_135573032

this wp-includes folder Contains only the files necessary to run the core version of WordPress-files without any plugins or themes.Remember that the default theme still resides in wp-content/theme contents.Therefore, no visitor (including you) should ask to access the content of this website wp-include folder. You can disable access using the following code snippet:

# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

5. Only allow selected IP addresses to access wp-admin

Shutter stock_140373169

this wp-admin The folder contains the files needed to run the WordPress dashboard. In most cases, your visitors do not need to access the WordPress dashboard unless they want to register for an account.A good security measure is to allow only a few selected IP addresses to access wp-admin folder. You can allow the IPs of people (editors, contributors, and other administrators) who need to access the WordPress dashboard.This code snippet only allows fixed IP access wp-admin Folder and deny access to the rest of the world.

# Limit logins and admin by IP
order deny,allow
deny from all
allow from 302.143.54.102
allow from IP_ADDRESS_2

Make sure you create a new .htaccess file and paste it into the wp-admin folder instead of the base installation directory. If it is the latter, no one but you can browse your site-not even search engines! Of course you don’t want that. Several disadvantages of this measure are as follows:

  • If your website allows or promotes New User Registration, Tracking the number of users is almost impossible. For example, in WPExplorer, if you want to download our great free themes, then you must register.
  • some people Dynamic IP address (Most ADSL broadband users who use PPP or PPPoE protocols) change their IP every time they log out and log in to their ISP. Of course, it is impractical to track all these IPs and add them to the htaccess file.
  • Mobile phone broadband: Whether you are using 3G or 4G, your IP address depends on the cell tower you are currently connected to. Suppose you are traveling-your IP will keep changing as you move a few miles from the starting point. Similarly, tracking htaccess files is almost impossible.
  • Public Wi-Fi hotspot: Using credentials when connecting to the Internet using public Wi-Fi hotspots is a big no-no, because kids who use micro software can extract every character you type. Not to mention, every Wi-Fi hotspot will have a unique IP address.

Fortunately, all these shortcomings (except the first one) can be corrected by using a VPN. If you set up the VPN to connect using only a single IP address, then you only need to add it to your htaccess file and all your problems will be resolved.

6. Protect wp-config.php and .htaccess from being seen by everyone


this wp-config.php The file contains the most sensitive access credentials for your WordPress site. It contains the database name and access credentials, as well as various other key data, and other settings. Under no circumstances do you want others to view this file. Of course, you want to prohibit public access to all these security sources- .htaccess The file itself.You can disable access wp-config.php Use the following code:

# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all

To deny access to all htaccess files (remember, some files may be located in wp-admin and other folders), use the following code snippet:

# Deny access to all .htaccess files
<files ~ "^.*.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

7. Reject photo hotlinking

Picture hotlink

This is one of the coolest .htaccess file hackers. It sends content crawlers with its tail tucked between its legs. When someone uses your website’s pictures, your bandwidth is being consumed, and in most cases, you won’t even be praised for it. This code snippet eliminates the problem and sends this image when a hot link is detected.

# Prevent image hotlinking script. Replace last URL with any image link you want.
RewriteEngine on
RewriteCond %HTTP_REFERER !^$
RewriteCond %HTTP_REFERER !^http(s)?://(www.)?yourwebsite.com [NC]
RewriteCond %HTTP_REFERER !^http(s)?://(www.)?yourotherwebsite.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ http://i.imgur.com/MlQAH71.jpg [NC,R,L]

8. Enable browser caching

Web browser list

Also known as client-side caching, this .htaccess hack enables the recommended browser caching option for your WordPress site. You can also use it in other projects-HTML sites, etc.

# Setup browser caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 2 days"

9. Redirect to the maintenance page

Shutter stock_93288208

When you migrate virtual hosts or perform certain maintenance tasks, it is always recommended to create a static “downtime maintenance” HTML file to inform your visitors that the site is undergoing an upgrade or maintenance operation. Just create a maintenance.html file (or any other file name) and upload it to the basic WordPress installation directory. Paste the following code snippet into your .htaccess file. After the operation is over, be sure to delete or comment out these lines to return to the overall operation. You can comment it out by appending a “#” at the beginning of each line.

# Redirect all traffic to maintenance.html file
RewriteEngine on
RewriteCond %REQUEST_URI !/maintenance.html$
RewriteCond %REMOTE_ADDR !^
RewriteRule $ /maintenance.html [R=302,L] 

10. Custom error page

404 template

You can also use .htaccess files to configure user-friendly custom error pages for 403, 404, and 500 errors. Once you have prepared the error page-say error.html, upload it to your basic WordPress installation directory. Then add the following code snippet to your .htaccess file to enable the custom error page:

# Custom error page for error 403, 404 and 500
ErrorDocument 404 /error.html
ErrorDocument 403 /error.html
ErrorDocument 500 /error.html

in conclusion:

Today we learned some of the coolest htaccess hacks to enhance your WordPress website. I recommend that you try each module one by one while backing up the .htaccess file before and after testing each module. This is because the .htaccess file is very critical. Missing “#” character or misplaced ““May destroy the integrity of your website. If you often visit your WordPress dashboard on the go, it is recommended not to enable selective IP for your device wp-admin folder.

Over to you-what do you think of this article? Do you think the trouble of editing htaccess files is worth it? Do you know better safety tips? We would be happy to hear from you.