Cool WordPress .htaccess Tips to Boost Your WordPress Site’s Security

You have started a blog to share your opinion with the World Wide Web. Someone stumbles upon one of your articles. He likes it, and posts it on Digg. Now it gets everyone’s attention. Visitors come pouring into your site. Your revenue starts to go up. Definitely good news! But now there is a catch. You are now the target of the ‘bad crowd’ of the Internet, spammers, hackers and leechers.

It’s time to toughen up your innocent little WordPress site. The .htaccess file is the easiest and the cheapest (actually it’s free!) solution to secure a WordPress blog.

A lot of the tips covered in this article is offered as a feature in our WordPress Security Plugin

What is a .htaccess File?

The .htaccess file is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn “loaded via the Apache Web Server”, then the .htaccess file is detected and executed by the Apache Web Server software. It is often used to specify the security restrictions for the particular directory.

In this article I’m going to show you how to strengthen your site’s security by adding/changing a few lines in this file.

Before you make any changes, it might be a good idea to take a backup of your .htaccess. If something gets messed up, you can always replace the hacked .htaccess with the original one.

Restrict Access to WP Admin directory by IP Address

If you are running a single user blog site, there is no reason to allow others to access WordPress administration panel. You can protect your WP admin from unauthorized access by listing your static IP address in the .htaccess. Here’s the trick

order deny,allow
allow from a.b.c.d # This is your static IP
deny from all

Disable Hotlinking

Sometimes another site may directly link images from your site. It saves hard disk space by not having to store the images. But your site ends up serving the requests for them, thus using up your precious bandwidth. This is known as ‘hotlinking’. To disable this you can add these lines to the .htaccess

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]

Stop Spammers

Like hotlinking, spammers are notorious to use up your site’s resources. There are a number of ways to identify a potential spammer. One of them is to detect requests with ‘no referrer’. Spammers use bots to post comments on blogs and they come from ‘nowhere’. Add these lines to stop the spammers

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Protect WP-Config

The wp-config.php file in your WordPress installation contains some real important secrets, like database name, database username and password etc. You have no choice but to keep it secure.

# protect wpconfig.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>

Disable Directory Browsing

Someone who knows the directory structure of a WordPress installation, may use his knowledge to do some damage. Besides you should not let them know what plug-ins are you using.

# disable directory browsing
Options All -Indexes

Protect .htaccess itself!

Last thing you want after spending so much time protecting your site with .htaccess, is to leave the file itself open to attack. The following hack prevents external access to any file starttng with .hta

<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>

Better still, you can rename the .htaccess to any other name you like

# rename htaccess files
AccessFileName ht.access

That’s it for now. Remember to test, test and test everytime you make changes to your .htaccess file (go to your site, is it still up?). Hope you find these tips useful. Happy blogging!

Found this article interesting? Subscribe to Tips and Tricks HQ

email icon rss feed icon twitter icon google plus icon

Comments (54 responses)

  1. admin says:

    @David, you can add the code anywhere in the file. Adding it at the top is probably better though.

  2. David Turner says:

    If i want to edit my site from multiple locations, and therefore IP addresses, I don’t think I can use that first hack. I really want to protect my .htaccess file but if it means I could only then edit my site from one location I would rather not change anything.

    When you paste in this new code to the file, does it matter where you put it? Should it always go at the bottom, to be the latest thing added, or at the top?

  3. Ledio says:

    Excellent tips. One needs to be cautious, however. There are some WP plugins which would need access to .htaccess, e.g. W3TC Browser Cache

  4. Firdaus says:

    Wow ! Thank you very much.
    I was just searching what I got here. Now I can use these for my WordPress website.

    # Thanks again .

  5. This are great & useful resources. It is the first time I have encountered many of these plugins. I have already have 4 plugins installed in my site. I will check which one or two I can add

  6. Nathan says:

    I wasn’t aware you can block directory browsing with the htaccess file. Thank you very much!

  7. candra says:

    Nice post sir, thank you very much.

    Candra

  8. Green Group says:

    Nice topic. Thank You for sharing :)

    would add:

    # disable the server signature
    ServerSignature Off

    # limit file uploads to 10mb
    LimitRequestBody 10240000

  9. T.v Serials says:

    This are great & useful resources. It is the first time I have encountered many of these plugins. I have already have 4 plugins installed in my site. I will check which one or two I can add. Glad I came across your site. Many Thanks!

  10. John Gamings says:

    Hmm these are pretty interesting. The only time I’ve ever had to modify my htaccess was in order to redirect http://mysite.com to http://www.mysite.com, I never knew there were so many more things you could do with the htaccess file that could be of value

  11. admin says:

    Yeah if your site is up and running then everything should be fine. Tips mentioned in this article does not affect your SEO.

  12. omthoke says:

    After making changes, if my site is up does it mean everything is ok (leaving security issues aside) — is there a chance that it could affect SEO of my site??

    I mean i am not talking about filling some unwanted gibberish inside .htcaccess file of course, but with these steps, and trying to add some extra securtiy :)

  13. Alex says:

    I really like this blog and this topic.. This blog really helping me as a newbie..
    Thanks for sharing…

  14. Rich says:

    Ah nice one! Thanks!

  15. kath says:

    The post is really useful, i really appreciate for sharing the information. Thank You.

  16. joe says:

    That is whats confusing me. Can I not just create an instruction within .htaccess in the wordpress to not allow anyone but me to access wp-admin? Why do I need a separate .htaccess file in the wp-admin folder too?

    Its actually pointless for me anyway. My IP is dynamic and therefore the .htaccess route isn’t an option. But it would be good to know for future reference.

    I’ve read the article you referred and think I will install AskApache Password Protect (is this the same is password protecting a folder in cPanel?). To further protect any vulnerabilities from my installed plugins I’ll add a blank html file.

    Thank you so much for the information. I’m a newbie blogger and really appreciate your the information you provide! Thanks!!

  17. admin says:

    Basically, a .htaccess file allows you (the admin) to put restrictions on how a folder/file can be accessed from the web browser. Yes, the .htaccess file in your worpress root is what matters as far as this article is concerned.

    Placing an empty .htaccess file in the wp-admin directory won’t do anything. The security scan plugin is basically telling you to put a .htaccess file in the wp-admin directory with various conditions so nobody but you can access the “wp-admin” of your site (This makes it so no one but you can browse to that directory so you don’t even have to worry about someone trying to hack into your admin. This post will explain this in detail:

    http://www.tipsandtricks-hq.com/essential-wordpress-security-tips-is-your-blog-protected-987

  18. joe says:

    I think I am understanding. So I can place a blank .htaccess file in wp-admin to improve security, because it will put a potential hacker of track? While the .htaccess file in my root contains all the important instructions? i.e. blocking IP address, block access to folders etc.

    So for instance, to prevent comment spammers I should include the code below within my mysite.com/blog/.htaccess file? or my mysite.com/.htaccess?

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

  19. admin says:

    What you have is correct. The security scan plugin complains if you don’t have a .htaccess file in the “wp-admin” directory because having a .htaccess file in the “wp-admin” directory can add additional security. The .htaccess file in the “wp-admin” directory is only for security and not to be confused with the site speedup.

    You can put a .htaccess file in every folder on your site for security purpose but the tips shared on this article only deals with speeding up your site and refers to the main .htaccess file which is in the root of your WordPress installation. Does that make sense?

  20. joe says:

    Thanks for the prompt reply.

    I run a site which has .htaccess file in the root. (I believe this was done within cPanel, because there are a number of IP addresses I’ve blocked).

    I am also running a blog via a sub-folder (lets say http://www.mysite.com/blog/). I’ve installed WP Security Scan plugin for the blog and it reveals the following.

    “Security”: The file .htaccess does not exist in wp-admin/.
    “Scanner”: htaccess permission 644

    I do not have a .htaccess file in my /blog/wp-admin directory, but I do have one in /blog/

    Should I move the .htaccess file from /blog/ to /blog/wp-admin? or should I create a new .htaccess for the wp-admin folder?

    Very confused.

    The .htaccess file in /blog/wp-admin looks like this:

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /blog/
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /blog/index.php [L]

    # END WordPress

    Thanks.

  21. admin says:

    There should be a .htaccess file in the “public_html” folder.

  22. joe says:

    which .htacess do you edit. I mean to say in which folder is this file?

  23. etehngadget says:

    very useful tips, Thanks for Share

  24. pestwave says:

    quite useful tips, thanks.

  25. Katie Dawson says:

    Thanks for this. Articles like yours really do help non-coders like me learn and to be able to manage it myself. Keep up the good work and continue sharing your knowledge (please?!?!) Thanks

  26. Tyranothaqua says:

    Hello all, Just like to say Hi! to everyone and introduce myself.I’ve been in the Internet biz for over 13 years– literally sitting on the same herman miller chair purchased back in the 90′s.

    Thanks to the Admin, I enjoy reading for a long time, thanks guys.. Cool forum is what I say and keep the good work.

  27. Amal Roy says:

    Thanks a lot friend. I have followed 3 of the tips to secure my htaccess file.

  28. fry says:

    thanks!

  29. admin says:

    Putting them “Before” is fine.

  30. fry says:

    Great tips, but just one question that I haven’t found an answer to yet. Would I put the above directives before, after, or inside the WordPress sections? What I mean by inside the wordpress sections is that the .htaccess would say “# BEGIN WordPress” then there are directives until “# END WordPress”.

  31. Ricote says:

    It is a great list but I think modern spammers surf with referrer like Internet explorer 6 or similar

  32. Excellent set of tips! I assume protecting folders from your htaccess should be faster and more secure than installing WordPress security plugins. I will definitely try it, thanks

  33. Peter Moss says:

    Not so much security issue, but I would add 301 redirects from non-www to www requests and cache control headers for all static images.

    Peter

  34. james says:

    No, I host the image somewhere on my site and I give them a link referring the image back to my site. Still, will it block the other site from showing the image on their site?
    Thanks

  35. admin says:

    If the Image is used from an external site then yes.

  36. James says:

    Very good tips! I just incorporated them in my .htaccess. My question is: Would the “Disable Hotlinking” also prevent linking exchange, if i have an image that I host on my linking code?
    Thanks

  37. admin says:

    @Charles, yes you need to replace them with your own domain name. “stealingisbad.gif” is just an image that will be displayed instead of the actual image when someone tries to hotlink. This image can have any message you want.

  38. Charles says:

    Oh, and what does “stealingisbad.gif” mean in the ‘disable hotlinking’ code?
    Is that an image we need to create and upload via FTP in order for disabling of hotlinking to work?

    Thanks,
    Charles

  39. Charles says:

    Interesting stuff, for a non-coder like me.

    In these text snippets, do we replace “?’yourdomain.com” and “!.*yourblog.com.*”
    with our own domain names—or do these work as is when dropped into our .htaccess file???

    Thank you,
    Charles

  40. Jay says:

    I use this one: http://alkivia.org/wordpress/capsman/ – it allows me to remove the default admin-account. Will check your suggestion.

    The WP -security-scan keeps telling me there is no .htaccess in the WP-Admin dir. – so just ignore it then? Not even some basic code in there?

  41. admin says:

    If you don’t have static IP then you can’t really restrict by IP so don’t bother putting anything there. Try the login lockdown plugin to add a bit more login protection.

  42. Jay says:

    Sooooooo, not having a static IP Address, not being able to block that address in .htaccess file in Admin folder, what do I put in that file to secure that folder?

    I now understand the renaming, but that doesn’t apply to me either, as I don’t have my own server – but yes, good tip, makes sense!

  43. admin says:

    LOL… okay okay I will tell you :)

    by default the filename for access control is .htaccess. This is the file that “Apache” will look up to see what restrictions are specified and then it will control the access accordingly when a client makes a request to access your site through the browser.

    when you have protection in place the hackers know that it is specified in this file so they will try to attack this file so the protection can be destroyed. You can specify a different name for this access control file in the server configuration file (e.g. httpd.conf, access.conf etc) and “Apache” will look up that file instead. This way anyone from outside has no way of knowing which file to attack because they can’t guess the name of it.

    Your server will have other security measures in place so this is not really necessary and in some cases not doable if you don’t have a dedicated server. This is something good to know and do it if you are running your own server from your home PC and you don’t really have a lot of other security measures in place.

  44. Jay says:

    Thank you! I don’t have a static IP address, so I need to put something else in the .htaccess in the Admin folder?

    Ok, good CHMOD rule.

    Renaming: you mention in the last line of your article:

    “Better still, you can rename the .htaccess to any other name you like

    # rename htaccess files
    AccessFileName ht.access”

  45. admin says:

    Please note that playing around with .htaccess file is dangerous so handle with care.

    You can put the content explained in the “Restrict Access to WP Admin directory by IP Address” section in a .htaccess file and put it in the “wp-admin” directory. You will obviously have to modify the a.b.c.d to your IP address (don’t do this if you don’t have static IP address).

    Regarding file permission… here is a general rule of thumb… files should have a permission of 644 and directories should have a permission of 755

  46. Jay says:

    Nice article – thanks!

    Got the following questions:
    1 – I use the WP Security Scan plugin (by Semper Fi) – it tells that one thing is incorrect: “The file .htaccess does not exist in wp-admin/. ” Now, what do I put in that file? I contacted him last year, I searched all his documentation (which is lacking for this item) and that is how I ended up on your site.
    2 – Do I need any other .htaccess files – if yes, where do I put them (root?), what do I put in them and what CHMOD do they get?
    3 – As Mugger asked before, how do you apply the renaming? Where do you put what?

  47. mugger says:

    Does code to rename .htacess
    `# rename htaccess files
    AccessFileName ht.access`
    reside in ht.access or in a separate .htaccess?

  48. admin says:

    Hi Ron, If you look at the spam blocking rules, you’ll notice it’ll only block POST requests, on the URI wp-comments-post.php. Since spiders/crawlers don’t do that, you have no fear of blocking the search engines out of your site.

  49. Ron C. Plute says:

    Would that anti-spammer code also stop spiders and search engines? My site gets visits from both spiders and search engines, and they often have no referrer.

    Since that code blocks anyone with no referrer then won’t it also stop the engines.

  50. Rubayeet says:

    @Towel – where do spam requests go? the hacks in the .htaccess ignores all post requests w/o no referrer, so they don’t get stored anywhere. if you want to block spams and store them somewhere for analysis, you can use Akismet plugin.

Speak Your Mind

*