Improve WordPress Security using .htaccess file

Written by Tushar. Posted in Blogging

WordPress is a very popular blogging platform and every new bloggers considers it as first choice. Now being popular it is attacked the most by bad crowd of internet, those are spammers, hackers and leechers. Improving WordPress Security should be considered as basic task by every blogger.

Wordpress Security

Earlier I have shared an article of securing the wordpress blog using Better WP Security plugin.

However if you are wordpress enthusiast then you might enjoy implementing wordpress security manually via .htaccess file.

Note: I will recommend the beginners with little information about .htaccess file configuration, not to use this method. Instead use “Better WP Security” plugin.

Now in this article I will provide the solution to secure your wordpress blog using .htaccess file. the code snippets will protect mostly the important folders and files of your wordpress installation.

About .htaccess

.htaccess is a configuration file which is used to make configuration changes per directory basis. A typical wordpress installation .htaccess will look like.

# BEGIN WordPress
 <IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteRule ^index\.php$ - [L]
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d
 RewriteRule . /index.php [L]
 </IfModule>
 # END WordPress

You will need to add the following codes after # END WordPress. Also before applying the code snippets mentioned below, please take the backup of the .htaccess file.

WordPress Security using .htaccess

Secure wp-config.php

wp-config.php file contains the information related to database, like database name, database username, database password, database host.

#Secure wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

Prevent Directory Browsing

As we all know the directory structure of the wordpress installation and know where to find the plugin installed. Directory browsing need to be prevented in order to loose sensitive infomation like what plugins you use.

# prevent directory browsing
Options All -Indexes

Restrict access to wp-content

The wp-content contains themes, images and plugins folder. It need to be protected against the unauthorized access.

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>

Protect .htaccess File

The most important part of implementing wordpress security via .htaccess file is to protect the .htaccess file itself. The following code will prevent anyone viewing file which begins with hta.

#protect htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

Stop Spammers

Spammers use bots to comment spam on your blog. Stopping spammers is a bit tricky, but you can detect it by detecting requests with no referrer.

#stop spammers
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*YourDomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

In the above code replace the “YourDomain.com” part with your own domain address.

Disable Hotlinking

Hotlinking is a process of directly linking images from other website or blog. In this way image request are served from other blog or website and the bandwidth of blog hotlinking is saved. To save the precious bandwidth of your blog you need to disable hotlinking.

#disable hotlinking
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
</IfModule>

In the above code replace the “YourDomain.com” part with your own domain address.

There are number of things you can do to implement wordpress security via .htaccess file. In this article I have shared the code snippets that are important for securing the installation folders and files.

If you have more tips or important code snippets, then do share some of the wordpress security tips with us via your comments.

Tags:

Tushar

If you like this post then follow on Twitter and Facebook. If you have any query then contact the author.

Comments (3)

  • wikipedia.org

    |

    First of all I would like to say superb blog!
    I had a quick question which I’d like to ask if you do not mind.
    I was curious to know how you center yourself and clear your mind before writing.
    I have had trouble clearing my thoughts in getting my
    ideas out there. I do enjoy writing but it just seems like the first 10
    to 15 minutes are wasted simply just trying to
    figure out how to begin. Any ideas or tips? Kudos!

    Reply

    • Tushar

      |

      Thnx for appreciation.
      See it is difficult to start writing on some topic. Start with basic things like introduction of the topic, then your thoughts and in last summary. Every topic of an article needs to have and introductory subject as it will be helpful for the first time readers.

      Reply

  • Yorinda Wanner

    |

    The browsing, content and spammer code caused my site not to load.

    Glad to have the wp config and htaccess in place now!

    Thanks a lot!

    Reply

Leave a comment