Secure WordPress site using htaccess

.htaccess is a very ancient and one of the most powerful configuration files that controls the Web Server settings which runs your website. The powerful .htaccess file has the ability to control access of the WWW’s Hypertext Transfer Protocol(HTTP) using Password Protection, Error Page Redirects, 301 Redirects, URL rewrites etc.

There is already a .htaccess file inside the wordpress directory and the typical wordpress .htaccess file looks similar to

 

So please be careful while you add more directives to the existing .htaccess file. Do not break wordpress based functionalities by editing between # BEGIN WordPress and # END WordPress.

Now add some essential directives to the .htaccess file as shown below

1. Prevent .htaccess file itself from external access using the following directive. You don’t need to create separate .htaccess file for this.

 

2. Protect your wp-config file because it contains various configurations for site files as well as database details. You don’t need to create separate .htaccess file for this.

 

3. Prevent directory browsing. The following directive will not allow anyone to browse the directory in the browser. Suppose you have a project directory structure like application/config and a user wants to see what are the files inside the directory config. SO user will type a URL in the browser something like http://www.example.com/application/config and user will be able to see all the files inside the config directory. To prevent such kind of thing we need the following directive. You don’t need to create separate .htaccess file for this.

 

4. Hotlinking refers to linking directly to non-html objects on other servers, such as images, movie, css, zip, pdf files etc. This can greatly impact bandwidth usage. Hotlink protection can save you lots of bandwidth by preventing other sites from displaying your non-html. You don’t need to create separate .htaccess file for this.

 

5. Do not display server signature when an error occurrs in the requested URL. You don’t need to create separate .htaccess file for this.

 

6. Stop spam – a form of spamdexing done by posting random comments, copied material, or promotion of commercial services. Spammers use bots to post comments on blogs and they come from nowhere. You don’t need to create separate .htaccess file for this.

 

7. You can restrict the access to the wp-admin directory only to your IP address or from certain IP addresses. If there is no .htaccess file in the wp-admin directory, create one and upload it to the wp-admin directory and add the below line to it.

If you want to restrict from only one IP address

 

If you want to restrict from multiple IP addresses

 

where x.x.x.x, y.y.y.y or z.z.z.z should be replaced by actual IP addresses.

8. The wp-content folder contains images, themes, plug-ins etc. and it’s a very important folder because apart from media files it contains sensitive .php files to which external access should be prevented. Create a separate .htaccess file and put the it under wp-content/ directory with the below content.

 

9. Sometimes we don’t need to protect the whole directory instead we need to protect individual file so in this case we can use following directive.
For example, we want to protect the file ‘abc’. You don’t need to create separate .htaccess file for this.

 

10. Cache Certain file types, saving bandwidth and decreasing load times. You don’t need to create separate .htaccess file for this.

 

11. Removes trailing slash from URL. It prevents SEO duplicate content issue. You don’t need to create separate .htaccess file for this.

 

12. Restrict access to Include only files under wp-includes directory. You don’t need to create separate .htaccess file for this.

 

13. Restrict access to wordpress admin area. create a new .htaccess file and put it under wp-admin/ directory with the following content.

If you want to allow from only one IP address

 

If you want to allow from multiple IP addresses

 

where x.x.x.x, y.y.y.y or z.z.z.z should be replaced by actual IP addresses.

14. The following code helps prevent executable scripts like .pl, .cgi or .php scripts from being executed when requested by a browser. This instructs the Web Server to treat them as text files instead of executables. The result is they will be displayed as plain text inside the browser window. For more info http://codex.wordpress.org/htaccess_for_subdirectories

 

That’s all. If you have more ideas then you can leave it in comment section. Thank you for reading.

Soumitra

Software Professional, I am passionate to work on web/enterprise application. For more information please go to about me. You can follow on Twitter. You can be a friend on Facebook or Google Plus or Linkedin

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.