My.tsoHostshopping_basket0 Item(s): £0.00

keyboard_backspaceBack to the Blog

8 Ways To Secure WordPress With .htaccess

Posted 17th September, 2014 by Aliysa

Every CMS is susceptible to hacking, even WordPress - our support team deal with hacked WordPress sites on a frequent basis. However there are a number of precautions that can be taken to harden security and keep WordPress protected, most of which are often either overlooked or even unheard of.

We’ve listed five ways to keep WordPress secure before, and also highlighted a number of <a href+"="" blog="" 20-wordpress-mistakes-you-could-be-making"="" target="_blank">common mistakes WordPress users make, and how to avoid and rectify them. An area that we’re yet to explore is how to leverage .htaccess to harden your WordPress site against hackers.

What is an .htaccess file?

The .htaccess file allows you to make configuration changes to your site, or to a specific directory they are placed in. You can do a number of things to control the behaviour of your site using this file such as set up redirects, password protect directories and add custom error pages. You can make changes to your .htaccess files using FTP. The . (dot) before htaccess indicates that it’s a hidden file.

How to modify the WordPress .htaccess file

Note: This guide is intended for non-multisite WordPress installs.

The .htaccess file for WordPress can be found within your public_html directory. If you use the Yoast SEO plugin, you can also view and edit your .htaccess file through the 'Edit Files' section of the plugin’s settings.

The WordPress .htaccess file doesn’t actually exist upon initial installation, but is created when you change your site’s permalink structure, as recommended, through the admin area. Changes are then automatically written to the .htaccess file by some plugins and by WordPress itself.

It’s important that changes you make are written outside of:

`# BEGIN WordPress [WordPress data] # END WordPress`

If you don't do this, your changes may be overwritten by WordPress. The same applies for plugin data.

And a word of caution: be careful - a simple mistake when editing your .htaccess files can be problematic; for instance it’s possible to lock yourself out of your site or take your entire site offline. The Cloud takes 30 days of backups automatically, but as best practice we recommend taking a backup of your data before editing .htaccess files yourself.

If you lack coding knowledge, and you’re not confident in accessing this file, the WP htaccess Control plugin provides an easier interface for editing it. Once installed, go to htaccess suggestions and harden your security through here.

How to harden WordPress with .htaccess

1. Protect wp-config.php

wp-config is an important file in your root directory that houses sensitive information regarding the database, including the username, password and host name. It provides the link between WordPress and MySQL. To ensure this data does not fall into the wrong hands, add the following snippet to prevent access to wp-config.php:

` order allow,deny deny from all `

Outside of the .htaccess, we also recommend setting ‘600’ permissions on the wp-config.php file to prevent any possibility of it being read by another user on the same system as you. This can be done in the File Manager or via FTP.

2. Secure wp-includes

There are a number of scripts in WordPress that nobody will ever need to touch. You can block include-only files through .htaccess using the following code:

` RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] `

3. Access only by IP

If you only access your WordPress admin area from the same location, you may want to limit access to your IP address only. To do this you’ll need to add a small snippet of code to the .htaccess file in the wp-admin directory. If this doesn’t exist don’t worry, simply add one yourself through FTP. Add the following code:

`order deny,allow allow from _[insert your IP address]_ deny from all`

If you don’t know your IP address, you can use this tool.

4. Block bad users

We’ve covered limiting access to specific IPs, but what if you want to ban specific users from accessing your WordPress site? Block visitors with malicious intentions by adding this code to your root .htaccess file:

`order allow, deny deny from _[bad IP address 1]_ deny from _[bad IP address 2]_ deny from _[bad IP address 3]_ allow from all`

5. Block bad bots

Bad bots or web spiders waste your resources and send you bandwidth usage rocket high. To block bad bots, insert the following rules into your .htaccess file:

`RewriteEngine on RewriteCond %{HTTP_USER_AGENT} ^_[ insert bad bot 1 name]_ [OR] RewriteCond %{HTTP USER AGENT} ^_[insert bad bot 2 name]_ [OR] RewriteCond %{HTTP USER AGENT} ^_[insert bad bot 3 name]_ RewriteRule .* - [F]`

This page provides a list of some known bad bots.

6. Prevent directory browsing

Nowadays people are more than comfortable with the WordPress structure and should you have directory browsing enabled on your site they are able to see what plugins you have installed and other file details. To protect this information, prevent directory browsing by simply adding one line:

`Options -Indexes`

7. Disable hotlinking

As covered in our post about speeding up WordPress, hot-linking is when site owners’ use your files by linking to them on your site, eating up your disk space and bandwidth, and potentially slowing your site down. This may not be in the realm of security per se, but it’s definitely worth protecting against. These four lines will prevent hot-linking to your site:

`RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www.\.)?www._[insert your domain name]_ [NC] RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]`

To disable hot-linking to any other file types you have on your site, add the relevant file extensions to the last line.

8. Protect .htaccess

For ultimate peace of mind, protect .htaccess itself from unauthorised access by inserting the following code to prevent external file access:

` order allow,deny deny from all satisfy all `

Do you use .htaccess to secure your WordPress site in any other ways? We'd be fascinated to find out how in the comments below.

Categories: WordPress, Security

You may also like:

5,000 clients and counting: WordPress web designer Ben Temple reveals his secrets to success
The most popular tsoHost blogs of 2021 and what they tell us about the year gone by
5 of the best WooCommerce extensions for Black Friday
6 tricks for customising your WordPress website for Halloween
Celebrating 10 years of WooCommerce with 10 reasons to choose the platform for your business
How do I prevent my emails being marked as spam?