• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Tips and Tricks HQ

  • Home
  • Blog
  • Projects
    • All Projects
    • Simple WP Shopping Cart
    • WP Express Checkout Plugin
    • WP Download Monitor
    • WP Security and Firewall Plugin
    • WP eStore Plugin
    • WP Affiliate Platform
    • WP eMember
    • WP Lightbox Ultimate
    • WP Photo Seller
  • Products
    • All Products
    • Checkout
  • Support
    • Support Portal
    • Customer Only Forum
    • WP eStore Documentation
    • WP Affiliate Software Documentation
    • WP eMember Documentation
  • Contact

Cool WordPress .htaccess Tips to Boost Your WordPress Site’s Security

You are here: Home / Web Development / Blog Setup / Cool WordPress .htaccess Tips to Boost Your WordPress Site’s Security

Last updated: August 4, 2013





You have started a blog to share your opinion with the World Wide Web. Someone stumbles upon one of your articles. He likes it, and posts it on Digg. Now it gets everyone’s attention. Visitors come pouring into your site. Your revenue starts to go up. Definitely good news! But now there is a catch. You are now the target of the ‘bad crowd’ of the Internet, spammers, hackers and leechers.

It’s time to toughen up your innocent little WordPress site. The .htaccess file is the easiest and the cheapest (actually it’s free!) solution to secure a WordPress blog.

A lot of the tips covered in this article is offered as a feature in ourย WordPress Security Plugin

What is a .htaccess File?

The .htaccess file is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn “loaded via the Apache Web Server”, then the .htaccess file is detected and executed by the Apache Web Server software. It is often used to specify the security restrictions for the particular directory.



In this article I’m going to show you how to strengthen your site’s security by adding/changing a few lines in this file.

Before you make any changes, it might be a good idea to take a backup of your .htaccess. If something gets messed up, you can always replace the hacked .htaccess with the original one.

Restrict Access to WP Admin directory by IP Address

If you are running a single user blog site, there is no reason to allow others to access WordPress administration panel. You can protect your WP admin from unauthorized access by listing your static IP address in the .htaccess. Here’s the trick

order deny,allow
allow from a.b.c.d # This is your static IP
deny from all

Disable Hotlinking

Sometimes another site may directly link images from your site. It saves hard disk space by not having to store the images. But your site ends up serving the requests for them, thus using up your precious bandwidth. This is known as ‘hotlinking’. To disable this you can add these lines to the .htaccess

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]

Stop Spammers

Like hotlinking, spammers are notorious to use up your site’s resources. There are a number of ways to identify a potential spammer. One of them is to detect requests with ‘no referrer’. Spammers use bots to post comments on blogs and they come from ‘nowhere’. Add these lines to stop the spammers

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Protect WP-Config

The wp-config.php file in your WordPress installation contains some real important secrets, like database name, database username and password etc. You have no choice but to keep it secure.

# protect wpconfig.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>

Disable Directory Browsing

Someone who knows the directory structure of a WordPress installation, may use his knowledge to do some damage. Besides you should not let them know what plug-ins are you using.

# disable directory browsing
Options All -Indexes

Protect .htaccess itself!

Last thing you want after spending so much time protecting your site with .htaccess, is to leave the file itself open to attack. The following hack prevents external access to any file starttng with .hta

<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>

Better still, you can rename the .htaccess to any other name you like

# rename htaccess files
AccessFileName ht.access

That’s it for now. Remember to test, test and test everytime you make changes to your .htaccess file (go to your site, is it still up?). Hope you find these tips useful. Happy blogging!

Related Posts

  • Essential WordPress Security Tips – Is Your Blog Protected?
  • WordPress Optimization Tips and Tricks for Better Performance and Speed
  • How to Add Far Future Expires Headers to Your WordPress Site
  • 2 Simple WordPress Blog Optimization Tips and Tricks

Blog Setup,  Site Optimization Tips Security,  Site Optimization Tips,  Web Development,  web masters,  Wordpress

Reader Interactions

Comments (52 responses)

  1. Ledio says:
    February 17, 2013 at 10:21 am

    Excellent tips. One needs to be cautious, however. There are some WP plugins which would need access to .htaccess, e.g. W3TC Browser Cache

  2. Firdaus says:
    August 6, 2012 at 1:38 am

    Wow ! Thank you very much.
    I was just searching what I got here. Now I can use these for my WordPress website.

    # Thanks again .

  3. All Hit serials says:
    October 18, 2011 at 7:26 am

    This are great & useful resources. It is the first time I have encountered many of these plugins. I have already have 4 plugins installed in my site. I will check which one or two I can add

  4. Nathan says:
    June 3, 2011 at 11:00 am

    I wasn’t aware you can block directory browsing with the htaccess file. Thank you very much!

  5. candra says:
    May 26, 2011 at 10:34 am

    Nice post sir, thank you very much.

    Candra

  6. Green Group says:
    February 1, 2011 at 9:54 pm

    Nice topic. Thank You for sharing ๐Ÿ™‚

    would add:

    # disable the server signature
    ServerSignature Off

    # limit file uploads to 10mb
    LimitRequestBody 10240000

  7. T.v Serials says:
    January 30, 2011 at 3:38 am

    This are great & useful resources. It is the first time I have encountered many of these plugins. I have already have 4 plugins installed in my site. I will check which one or two I can add. Glad I came across your site. Many Thanks!

  8. John Gamings says:
    January 3, 2011 at 10:54 am

    Hmm these are pretty interesting. The only time I’ve ever had to modify my htaccess was in order to redirect http://mysite.com to http://www.mysite.com, I never knew there were so many more things you could do with the htaccess file that could be of value

  9. admin says:
    December 20, 2010 at 9:48 pm

    Yeah if your site is up and running then everything should be fine. Tips mentioned in this article does not affect your SEO.

  10. omthoke says:
    December 20, 2010 at 5:17 pm

    After making changes, if my site is up does it mean everything is ok (leaving security issues aside) — is there a chance that it could affect SEO of my site??

    I mean i am not talking about filling some unwanted gibberish inside .htcaccess file of course, but with these steps, and trying to add some extra securtiy ๐Ÿ™‚

  11. Alex says:
    November 28, 2010 at 12:38 pm

    I really like this blog and this topic.. This blog really helping me as a newbie..
    Thanks for sharing…

  12. Rich says:
    November 5, 2010 at 12:20 pm

    Ah nice one! Thanks!

  13. kath says:
    October 7, 2010 at 7:39 am

    The post is really useful, i really appreciate for sharing the information. Thank You.

  14. joe says:
    September 27, 2010 at 3:58 pm

    That is whats confusing me. Can I not just create an instruction within .htaccess in the wordpress to not allow anyone but me to access wp-admin? Why do I need a separate .htaccess file in the wp-admin folder too?

    Its actually pointless for me anyway. My IP is dynamic and therefore the .htaccess route isn’t an option. But it would be good to know for future reference.

    I’ve read the article you referred and think I will install AskApache Password Protect (is this the same is password protecting a folder in cPanel?). To further protect any vulnerabilities from my installed plugins I’ll add a blank html file.

    Thank you so much for the information. I’m a newbie blogger and really appreciate your the information you provide! Thanks!!

  15. admin says:
    September 26, 2010 at 12:43 am

    Basically, a .htaccess file allows you (the admin) to put restrictions on how a folder/file can be accessed from the web browser. Yes, the .htaccess file in your worpress root is what matters as far as this article is concerned.

    Placing an empty .htaccess file in the wp-admin directory won’t do anything. The security scan plugin is basically telling you to put a .htaccess file in the wp-admin directory with various conditions so nobody but you can access the “wp-admin” of your site (This makes it so no one but you can browse to that directory so you don’t even have to worry about someone trying to hack into your admin. This post will explain this in detail:

    https://www.tipsandtricks-hq.com/essential-wordpress-security-tips-is-your-blog-protected-987

  16. joe says:
    September 25, 2010 at 11:50 am

    I think I am understanding. So I can place a blank .htaccess file in wp-admin to improve security, because it will put a potential hacker of track? While the .htaccess file in my root contains all the important instructions? i.e. blocking IP address, block access to folders etc.

    So for instance, to prevent comment spammers I should include the code below within my mysite.com/blog/.htaccess file? or my mysite.com/.htaccess?

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

  17. admin says:
    September 25, 2010 at 12:19 am

    What you have is correct. The security scan plugin complains if you don’t have a .htaccess file in the “wp-admin” directory because having a .htaccess file in the “wp-admin” directory can add additional security. The .htaccess file in the “wp-admin” directory is only for security and not to be confused with the site speedup.

    You can put a .htaccess file in every folder on your site for security purpose but the tips shared on this article only deals with speeding up your site and refers to the main .htaccess file which is in the root of your WordPress installation. Does that make sense?

  18. joe says:
    September 24, 2010 at 3:48 pm

    Thanks for the prompt reply.

    I run a site which has .htaccess file in the root. (I believe this was done within cPanel, because there are a number of IP addresses I’ve blocked).

    I am also running a blog via a sub-folder (lets say http://www.mysite.com/blog/). I’ve installed WP Security Scan plugin for the blog and it reveals the following.

    “Security”: The file .htaccess does not exist in wp-admin/.
    “Scanner”: htaccess permission 644

    I do not have a .htaccess file in my /blog/wp-admin directory, but I do have one in /blog/

    Should I move the .htaccess file from /blog/ to /blog/wp-admin? or should I create a new .htaccess for the wp-admin folder?

    Very confused.

    The .htaccess file in /blog/wp-admin looks like this:

    # BEGIN WordPress

    RewriteEngine On
    RewriteBase /blog/
    RewriteRule ^index\.php$ – [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /blog/index.php [L]

    # END WordPress

    Thanks.

  19. admin says:
    September 19, 2010 at 2:16 am

    There should be a .htaccess file in the “public_html” folder.

  20. joe says:
    September 18, 2010 at 6:59 am

    which .htacess do you edit. I mean to say in which folder is this file?

  21. etehngadget says:
    September 13, 2010 at 6:37 am

    very useful tips, Thanks for Share

  22. pestwave says:
    September 1, 2010 at 11:24 am

    quite useful tips, thanks.

  23. Katie Dawson says:
    August 31, 2010 at 5:04 am

    Thanks for this. Articles like yours really do help non-coders like me learn and to be able to manage it myself. Keep up the good work and continue sharing your knowledge (please?!?!) Thanks

  24. Tyranothaqua says:
    May 14, 2010 at 2:06 pm

    Hello all, Just like to say Hi! to everyone and introduce myself.I’ve been in the Internet biz for over 13 years– literally sitting on the same herman miller chair purchased back in the 90’s.

    Thanks to the Admin, I enjoy reading for a long time, thanks guys.. Cool forum is what I say and keep the good work.

  25. Amal Roy says:
    May 5, 2010 at 6:12 am

    Thanks a lot friend. I have followed 3 of the tips to secure my htaccess file.

  26. fry says:
    April 14, 2010 at 3:41 am

    thanks!

  27. admin says:
    April 14, 2010 at 3:24 am

    Putting them “Before” is fine.

  28. fry says:
    April 13, 2010 at 6:34 am

    Great tips, but just one question that I haven’t found an answer to yet. Would I put the above directives before, after, or inside the WordPress sections? What I mean by inside the wordpress sections is that the .htaccess would say “# BEGIN WordPress” then there are directives until “# END WordPress”.

  29. Ricote says:
    March 30, 2010 at 11:48 am

    It is a great list but I think modern spammers surf with referrer like Internet explorer 6 or similar

  30. Omer Greenwald says:
    March 27, 2010 at 3:47 pm

    Excellent set of tips! I assume protecting folders from your htaccess should be faster and more secure than installing WordPress security plugins. I will definitely try it, thanks

  31. Peter Moss says:
    March 16, 2010 at 8:03 pm

    Not so much security issue, but I would add 301 redirects from non-www to www requests and cache control headers for all static images.

    Peter

  32. james says:
    March 16, 2010 at 4:29 pm

    No, I host the image somewhere on my site and I give them a link referring the image back to my site. Still, will it block the other site from showing the image on their site?
    Thanks

  33. admin says:
    March 16, 2010 at 2:22 am

    If the Image is used from an external site then yes.

  34. James says:
    March 15, 2010 at 11:57 am

    Very good tips! I just incorporated them in my .htaccess. My question is: Would the “Disable Hotlinking” also prevent linking exchange, if i have an image that I host on my linking code?
    Thanks

  35. admin says:
    January 5, 2010 at 2:49 am

    @Charles, yes you need to replace them with your own domain name. “stealingisbad.gif” is just an image that will be displayed instead of the actual image when someone tries to hotlink. This image can have any message you want.

  36. Charles says:
    January 4, 2010 at 10:39 am

    Oh, and what does “stealingisbad.gif” mean in the ‘disable hotlinking’ code?
    Is that an image we need to create and upload via FTP in order for disabling of hotlinking to work?

    Thanks,
    Charles

  37. Charles says:
    January 4, 2010 at 10:16 am

    Interesting stuff, for a non-coder like me.

    In these text snippets, do we replace “?’yourdomain.com” and “!.*yourblog.com.*”
    with our own domain names—or do these work as is when dropped into our .htaccess file???

    Thank you,
    Charles

  38. Jay says:
    December 9, 2009 at 7:37 pm

    I use this one: http://alkivia.org/wordpress/capsman/ – it allows me to remove the default admin-account. Will check your suggestion.

    The WP -security-scan keeps telling me there is no .htaccess in the WP-Admin dir. – so just ignore it then? Not even some basic code in there?

  39. admin says:
    December 9, 2009 at 7:07 pm

    If you don’t have static IP then you can’t really restrict by IP so don’t bother putting anything there. Try the login lockdown plugin to add a bit more login protection.

  40. Jay says:
    December 9, 2009 at 8:39 am

    Sooooooo, not having a static IP Address, not being able to block that address in .htaccess file in Admin folder, what do I put in that file to secure that folder?

    I now understand the renaming, but that doesn’t apply to me either, as I don’t have my own server – but yes, good tip, makes sense!

  41. admin says:
    December 9, 2009 at 8:03 am

    LOL… okay okay I will tell you ๐Ÿ™‚

    by default the filename for access control is .htaccess. This is the file that “Apache” will look up to see what restrictions are specified and then it will control the access accordingly when a client makes a request to access your site through the browser.

    when you have protection in place the hackers know that it is specified in this file so they will try to attack this file so the protection can be destroyed. You can specify a different name for this access control file in the server configuration file (e.g. httpd.conf, access.conf etc) and “Apache” will look up that file instead. This way anyone from outside has no way of knowing which file to attack because they can’t guess the name of it.

    Your server will have other security measures in place so this is not really necessary and in some cases not doable if you don’t have a dedicated server. This is something good to know and do it if you are running your own server from your home PC and you don’t really have a lot of other security measures in place.

  42. Jay says:
    December 9, 2009 at 6:19 am

    Thank you! I don’t have a static IP address, so I need to put something else in the .htaccess in the Admin folder?

    Ok, good CHMOD rule.

    Renaming: you mention in the last line of your article:

    “Better still, you can rename the .htaccess to any other name you like

    # rename htaccess files
    AccessFileName ht.access”

  43. admin says:
    December 9, 2009 at 5:49 am

    Please note that playing around with .htaccess file is dangerous so handle with care.

    You can put the content explained in the “Restrict Access to WP Admin directory by IP Address” section in a .htaccess file and put it in the “wp-admin” directory. You will obviously have to modify the a.b.c.d to your IP address (don’t do this if you don’t have static IP address).

    Regarding file permission… here is a general rule of thumb… files should have a permission of 644 and directories should have a permission of 755

  44. Jay says:
    December 8, 2009 at 6:28 pm

    Nice article – thanks!

    Got the following questions:
    1 – I use the WP Security Scan plugin (by Semper Fi) – it tells that one thing is incorrect: “The file .htaccess does not exist in wp-admin/. ” Now, what do I put in that file? I contacted him last year, I searched all his documentation (which is lacking for this item) and that is how I ended up on your site.
    2 – Do I need any other .htaccess files – if yes, where do I put them (root?), what do I put in them and what CHMOD do they get?
    3 – As Mugger asked before, how do you apply the renaming? Where do you put what?

  45. mugger says:
    November 14, 2009 at 1:14 pm

    Does code to rename .htacess
    `# rename htaccess files
    AccessFileName ht.access`
    reside in ht.access or in a separate .htaccess?

  46. admin says:
    October 9, 2009 at 12:00 am

    Hi Ron, If you look at the spam blocking rules, you’ll notice it’ll only block POST requests, on the URI wp-comments-post.php. Since spiders/crawlers don’t do that, you have no fear of blocking the search engines out of your site.

  47. Ron C. Plute says:
    October 8, 2009 at 12:07 pm

    Would that anti-spammer code also stop spiders and search engines? My site gets visits from both spiders and search engines, and they often have no referrer.

    Since that code blocks anyone with no referrer then won’t it also stop the engines.

  48. Rubayeet says:
    September 21, 2009 at 6:58 pm

    @Towel โ€“ where do spam requests go? the hacks in the .htaccess ignores all post requests w/o no referrer, so they donโ€™t get stored anywhere. if you want to block spams and store them somewhere for analysis, you can use Akismet plugin.

  49. Towel says:
    September 17, 2009 at 8:08 pm

    Regarding my previous comment; I managed to get rid of all the spam with the bit of the code added ito my .htaccess file. I couldn’t figure out properly how to add the compete path to the cgi file of my, so I simply created another .htaccess file straight inside my cgi-bin directory folder: /cgi-bin/.htaccess

    I was wondering where all the requests go now, into a black hole, they stop to exist? Over night no spam came. Otherwise it’s about 10 to 20 emails per day. Anyway, thanks a lot, Today I will add some extra code that you’ve mentioned.

  50. Towel says:
    September 17, 2009 at 7:21 am

    Thank you Ruhul. Could you please tell us whether another line of code could be added into the .htaccess (to avoid spammer bots with no referrer) for an additional file, as per below as I edited it. It’s my contact form (TFmail by London Perl Mongers) script which I get spam emails through it.

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{REQUEST_URI} .cgi-bin/contact-form\.cgi*
    RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$
    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

    # thank you very much.

Newer Comments »

Leave a Reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Featured & Popular Articles

Video Answers to Top WordPress QuestionsWordPress Optimization Tips and Tricks for Better Performance and SpeedEssential WordPress Security Tips - Is Your Blog Protected?WordPress Simple PayPal Shopping Cart PluginTop 15 Search Engine Optimization (SEO) Techniques I Forget to DoList of the Best and Must Use WordPress PluginsHow do I Start a Blog and Make Money Online?Good Domain Name Picking Tips for Your Blog SetupFind Out Which WordPress Web Hosting Company Offers the Cheapest and Reliable Web Hosting Solution

Featured WordPress Plugins

wordpress estore plugin
wordpress membership plugin
WP Express Checkout Plugin
WordPress Lightbox Ultimate Plugin
WordPress photo seller plugin
wordpress affiliate plugin

Recent Posts

  • Accept Donations via PayPal from Your WordPress Site Easil [...]
  • Buy Now Button Graphics for eCommerce Websites [...]
  • Subscription Button Graphics for eCommerce Websites [...]
  • Adding PayPal Payment Buttons to Your WordPress Sidebar Ea [...]
  • PayPal QR Codes [...]

Comment & Socialize

  • @Rodrigo Souza, Thank you f ...
    - admin
  • The example for 'slm_add_ed ...
    - Rodrigo Souza
  • @Ron, All the valid transac ...
    - admin
  • Hello, when people have sel ...
    - Ron
  • We have hte following featu ...
    - admin

Check out our solutions

View our WordPress plugin collection and start using them on your site.

Our WordPress Solutions

Footer

Company

  • About
  • Privacy Policy
  • Terms and Conditions
  • Affiliate Login

Top WordPress Plugins

  • Simple Shopping Cart
  • PayPal Donations
  • WP Express Checkout
  • WP eStore
  • WP eMember

Blogging Tips

  • How to Start a Blog
  • Selecting a Good Domain
  • Cheap WP Hosting
  • WP Video Tutorials
  • Simple SEO Tips

Search


Keep In Touch

Copyright © 2023 | Tips and Tricks HQ