Creating a secure .htaccess file for Wordpress

Written by Brad Traversy on 01 December 2013.


htaccess secure

Wordpress is by far the most popular blogging tool on the web and is the most or one of the most beloved web content management systems. This is ofcourse good news for Wordpress but it also comes with a downside and that is that there are a lot of hackers that know the system very well and the chances of a Wordpress site getting hacked are higher than some unknown custom system. There are however, many security measures that webmasters can take and one of those measures is having a secure optimized .htaccess file.

Creating a .htaccess File

If you install Wordpress, you will not see an .htaccess file right off the bat. If you login and setup permalinks (friendly urls), then the .htaccess file should be created automatically. If not, then you can simply create one. If you are using certain versions of Windows, you may not be able to name the file .htaccess as htaccess is actually an extension. So name it htaccess.txt, then upload it to your server via FTP and then rename it to .htaccess.

If you enable the friendly permalinks and an htaccess file is generated, it will look something like this

# BEGIN WordPress
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Anything that we add from here on should be placed after the "# END Wordress"

Protecting wp-config.php File

The wp-config.php file is extremely important. It holds things like your database credentials, encryption keys and your database prefix. We can protect this file with the following code.

#Protect config file
<Files wp-config.php>
    order allow,deny
    deny from all
</Files>

Restrict Admin Access

We can set it so only certain IP addresses can access the admin area of your Wordpress website. You need to create another .htaccess file and place it in the wp-admin folder. If you have a dynamic IP, you may have to update this regularly

#Restrict admin access
order deny,allow
allow from xxx.xxx.xxx.xxx (Your IP)
deny from all

You can restrict only the login page like this

#Restrict Login
<Files wp-login.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
</Files>
<Files login>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
</Files>

Stop Directory Browsing

You can prevent potential hackers from accessing the directory from the browser with the following line of code

#Stop directory browsing
Options All -Indexes

Protect the wp-content folder

The wp-content folder includes all of the theme files, assets and plugin files. To protect this folder, create a new .htaccess file in the directory and add the following lines..

#Protect the content folder
Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
	Allow from all
</Files>

The code above will allow users to see the xml, css, JavaScript and image files but protects the PHP files which is what is important

Block IP Addresses

You can also restrict certain IP addresses. So if you have a problem user. Maybe they have tried accessing your backened or somthing, you can put a few lines of code to ban that user from visiting the site.

#Block IPs
order allow,deny
deny from xxx.xxx.xxx.xxx
deny from xxx.xxx.xxx.xxx
allow from all

Turn Off Your Server Signature

The less info you have out there when it comes to your server, hosting, etc the better your chances are of not being hacked. This bit will remove your server's signature

#Disable the Server Signature
ServerSignature Off

Protect From Bots

The following lines will stop bots with no user-agent from hitting your website. Be sure to change the url to your own

#Protect from spam bots
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.yourwebsite.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
</IfModule>

Protecting the .htaccess File Itself

.htaccess can protect just about any folder or file you tell it to, but the file itself can be protected. The following will prevent access to any file that begins with "hta"

#Protect .htaccess file
<Files ~ "^.*\.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
</Files>
Latest News