Cool WordPress .htaccess Tips to Boost Your WordPress Site's Security

Cool WordPress .htaccess Tips to Boost Your WordPress Site’s Security

Categories: Blog Setup, Security, Site Optimization Tips

You have started a blog to share your opinion with the World Wide Web. Someone stumbles upon one of your articles. He likes it, and posts it on Digg. Now it gets everyone’s attention. Visitors come pouring into your site. Your revenue starts to go up. Definitely good news! But now there is a catch. You are now the target of the ‘bad crowd’ of the Internet, spammers, hackers and leechers.

It’s time to toughen up your innocent little Wordpress site. The .htaccess file is the easiest and the cheapest (actually it’s free!) solution to secure a Wordpress blog.

What is a .htaccess File?

The .htaccess file is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn “loaded via the Apache Web Server”, then the .htaccess file is detected and executed by the Apache Web Server software. It is often used to specify the security restrictions for the particular directory.

In this article I’m going to show you how to strengthen your site’s security by adding/changing a few lines in this file.

Before you make any changes, it might be a good idea to take a backup of your .htaccess. If something gets messed up, you can always replace the hacked .htaccess with the original one.

Restrict Access to WP Admin directory by IP Address

If you are running a single user blog site, there is no reason to allow others to access Wordpress administration panel. You can protect your WP admin from unauthorized access by listing your static IP address in the .htaccess. Here’s the trick

order deny,allow

allow from a.b.c.d # This is your static IP

deny from all

Disable Hotlinking

Sometimes another site may directly link images from your site. It saves hard disk space by not having to store the images. But your site ends up serving the requests for them, thus using up your precious bandwidth. This is known as ‘hotlinking’. To disable this you can add these lines to the .htaccess

#disable hotlinking of images with forbidden or custom image option

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]

#RewriteRule \.(gif|jpg)$ – [F]

RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]

Stop Spammers

Like hotlinking, spammers are notorious to use up your site’s resources. There are a number of ways to identify a potential spammer. One of them is to detect requests with ‘no referrer’. Spammers use bots to post comments on blogs and they come from ‘nowhere’. Add these lines to stop the spammers

RewriteEngine On

RewriteCond %{REQUEST_METHOD} POST

RewriteCond %{REQUEST_URI} .wp-comments-post\.php*

RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]

RewriteCond %{HTTP_USER_AGENT} ^$

RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Protect WP-Config

The wp-config.php file in your Wordpress installation contains some real important secrets, like database name, database username and password etc. You have no choice but to keep it secure.

# protect wpconfig.php

<Files wp-config.php>

order allow,deny

deny from all

</Files>

Disable Directory Browsing

Someone who knows the directory structure of a Wordpress installation, may use his knowledge to do some damage. Besides you should not let them know what plug-ins are you using.

# disable directory browsing

Options All -Indexes

Protect .htaccess itself!

Last thing you want after spending so much time protecting your site with .htaccess, is to leave the file itself open to attack. The following hack prevents external access to any file starttng with .hta

<Files ~ “^.*\.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all

</Files>

Better still, you can rename the .htaccess to any other name you like

# rename htaccess files

AccessFileName ht.access

That’s it for now. Remember to test, test and test everytime you make changes to your .htaccess file (go to your site, is it still up?). Hope you find these tips useful. Happy blogging!

Tags: Security, Site Optimization Tips, Web development, web masters, Wordpress

Similar posts that you may like

#1 by Towel on September 17, 2009 - 7:21 am

Thank you Ruhul. Could you please tell us whether another line of code could be added into the .htaccess (to avoid spammer bots with no referrer) for an additional file, as per below as I edited it. It’s my contact form (TFmail by London Perl Mongers) script which I get spam emails through it.

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{REQUEST_URI} .cgi-bin/contact-form\.cgi*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

# thank you very much.

#2 by Towel on September 17, 2009 - 8:08 pm

Regarding my previous comment; I managed to get rid of all the spam with the bit of the code added ito my .htaccess file. I couldn’t figure out properly how to add the compete path to the cgi file of my, so I simply created another .htaccess file straight inside my cgi-bin directory folder: /cgi-bin/.htaccess

I was wondering where all the requests go now, into a black hole, they stop to exist? Over night no spam came. Otherwise it’s about 10 to 20 emails per day. Anyway, thanks a lot, Today I will add some extra code that you’ve mentioned.

#3 by Rubayeet on September 21, 2009 - 6:58 pm

@Towel – where do spam requests go? the hacks in the .htaccess ignores all post requests w/o no referrer, so they don’t get stored anywhere. if you want to block spams and store them somewhere for analysis, you can use Akismet plugin.

#4 by Ron C. Plute on October 8, 2009 - 12:07 pm

Would that anti-spammer code also stop spiders and search engines? My site gets visits from both spiders and search engines, and they often have no referrer.

Since that code blocks anyone with no referrer then won’t it also stop the engines.

#5 by admin on October 9, 2009 - 12:00 am

Hi Ron, If you look at the spam blocking rules, you’ll notice it’ll only block POST requests, on the URI wp-comments-post.php. Since spiders/crawlers don’t do that, you have no fear of blocking the search engines out of your site.

#6 by mugger on November 14, 2009 - 1:14 pm

Does code to rename .htacess
`# rename htaccess files
AccessFileName ht.access`
reside in ht.access or in a separate .htaccess?

#7 by Jay on December 8, 2009 - 6:28 pm

Nice article – thanks!

Got the following questions:
1 – I use the WP Security Scan plugin (by Semper Fi) – it tells that one thing is incorrect: “The file .htaccess does not exist in wp-admin/. ” Now, what do I put in that file? I contacted him last year, I searched all his documentation (which is lacking for this item) and that is how I ended up on your site.
2 – Do I need any other .htaccess files – if yes, where do I put them (root?), what do I put in them and what CHMOD do they get?
3 – As Mugger asked before, how do you apply the renaming? Where do you put what?

#8 by admin on December 9, 2009 - 5:49 am

Please note that playing around with .htaccess file is dangerous so handle with care.

You can put the content explained in the “Restrict Access to WP Admin directory by IP Address” section in a .htaccess file and put it in the “wp-admin” directory. You will obviously have to modify the a.b.c.d to your IP address (don’t do this if you don’t have static IP address).

Regarding file permission… here is a general rule of thumb… files should have a permission of 644 and directories should have a permission of 755

#9 by Jay on December 9, 2009 - 6:19 am

Thank you! I don’t have a static IP address, so I need to put something else in the .htaccess in the Admin folder?

Ok, good CHMOD rule.

Renaming: you mention in the last line of your article:

“Better still, you can rename the .htaccess to any other name you like

# rename htaccess files
AccessFileName ht.access”
Jay´s last undefined ..If you register your site for free at

#10 by admin on December 9, 2009 - 8:03 am

LOL… okay okay I will tell you

by default the filename for access control is .htaccess. This is the file that “Apache” will look up to see what restrictions are specified and then it will control the access accordingly when a client makes a request to access your site through the browser.

when you have protection in place the hackers know that it is specified in this file so they will try to attack this file so the protection can be destroyed. You can specify a different name for this access control file in the server configuration file (e.g. httpd.conf, access.conf etc) and “Apache” will look up that file instead. This way anyone from outside has no way of knowing which file to attack because they can’t guess the name of it.

Your server will have other security measures in place so this is not really necessary and in some cases not doable if you don’t have a dedicated server. This is something good to know and do it if you are running your own server from your home PC and you don’t really have a lot of other security measures in place.

#11 by Jay on December 9, 2009 - 8:39 am

Sooooooo, not having a static IP Address, not being able to block that address in .htaccess file in Admin folder, what do I put in that file to secure that folder?

I now understand the renaming, but that doesn’t apply to me either, as I don’t have my own server – but yes, good tip, makes sense!
Jay´s last undefined ..If you register your site for free at

#12 by admin on December 9, 2009 - 7:07 pm

If you don’t have static IP then you can’t really restrict by IP so don’t bother putting anything there. Try the login lockdown plugin to add a bit more login protection.

#13 by Jay on December 9, 2009 - 7:37 pm

I use this one: http://alkivia.org/wordpress/capsman/ – it allows me to remove the default admin-account. Will check your suggestion.

The WP -security-scan keeps telling me there is no .htaccess in the WP-Admin dir. – so just ignore it then? Not even some basic code in there?
Jay´s last undefined ..If you register your site for free at

#14 by Charles on January 4, 2010 - 10:16 am

Interesting stuff, for a non-coder like me.

In these text snippets, do we replace “?’yourdomain.com” and “!.*yourblog.com.*”
with our own domain names—or do these work as is when dropped into our .htaccess file???

Thank you,
Charles

#15 by Charles on January 4, 2010 - 10:39 am

Oh, and what does “stealingisbad.gif” mean in the ‘disable hotlinking’ code?
Is that an image we need to create and upload via FTP in order for disabling of hotlinking to work?

Thanks,
Charles

#16 by admin on January 5, 2010 - 2:49 am

@Charles, yes you need to replace them with your own domain name. “stealingisbad.gif” is just an image that will be displayed instead of the actual image when someone tries to hotlink. This image can have any message you want.