Just like WordPress is highly SEO friendly out of the box, it is also highly secure. And in the same way a little extra WordPress SEO’ing can go a long way, bumping up the security a bit for the web site is very beneficial. The All in One WP Security Plugin fills the WordPress security gap nicely. A big part of WordPress security involves the .htaccess file that resides in the root of the installation. This plugin helps keep that file safe and secure plus it can add commands to the file to beef up security for the entire WordPress site.
htaccess Firewall Security
Site-wide firewall protection is added for the web site using the .htaccess file. Since the server processes the htaccess file before any other code on the site, it makes sense to put a wall of security up there. This could prevent any malicious attacks from reaching the core web site, plugin, and theme files.
Firewall protection is applied in layers to be sure that it doesn’t tighten the reign too much to prevent the normal functionality of the web site (in terms of the functionality of other plugins, etc). There are basic, intermediate, and advanced settings that can be activated which applies the appropriate commands to the .htaccess file.
The plugin allows for simple backup and restore of the .htaccess file (and wp-config.php file) from within the WordPress dashboard.
Option 1) How to backup and restore the .htaccess file from the “Settings menu” of the All in One WP Security Plugin
It’s very simple to keep a safe copy of your .htaccess file from the WordPress dashboard with this plugin. First, of course is to get the plugin installed through the standard procedure, and I’ll go through those quick steps now. There are a few different ways, here’s one:
1. Download the security plugin to your computer from the WordPress plugin repository. You should now have a zip file called something similar to “all-in-one-wp-security-and-firewall.zip” on your computer.
2. Go to Plugins >> Add New, click Upload, locate the plugin and upload it, activate it, and head to the settings page.
Now, here are the steps to backup the .htaccess file the first time.
1. From the left side menu in the WordPress dashboard near the bottom of the screen, hover over the WP Security menu, and click on Settings if you aren’t already on that page.
On this page you have the options for backing up, restoring, and viewing the contents of the .htaccess file.
2. Click on the .htaccess File tab at the top of the screen.
3. Click the Backup .htaccess File button near the top of the page. A file called htaccess_backup.txt will be saved to the root of your web site.
4. In the confirmation message that appears at the top of the page, there will be a hyperlink to the text file that was created that contains the commands from your current .htaccess file. Right-click the link and click Save link as… (or a similar command – it might just be “Save as…”). Find a safe location on your computer to store the file and click the Save button.
Restoring the file is just as simple. Follow the quick steps below:
1. Hover over the WP Security menu, and click on Settings if you aren’t already on that page.
2. Click on the .htaccess File tab at the top of the screen.
3. Click the Select Your htaccess File button, then click Select Files.
4. Locate the backed up “htaccess_backup.txt” file on your computer and double-click it.
5. Scroll down and click the Insert into Post button.
6. Click the Restore .htaccess File button. A message will appear near the top with a confirmation message.
Option 2) How to restore the .htaccess file via FTP
If you were able to successfully backup your WordPress installation’s .htaccess file but can’t gain access to the dashboard to restore the file, you can follow the steps below to do so.
1. First, locate the “htaccess_backup.txt” file on your computer and open it in a text editor.
2. Use the text editor’s File >> Save As… command and make sure Save as type: is set to “All Files (*.*).”
3. In the File name: box type: .htaccess (make certain to include the leading ‘dot’). Then click the Save button.
4. Open up your FTP software and connect to the server that holds the WordPress install files for the site that you want to restore the .htaccess file on.
5. Transfer the “.htaccess” file from your computer to the root folder of the WordPress site. Overwrite the file on the server when prompted.
Option 3) How to wipe out all the firewall rules before uploading the .htaccess file
In the event that you want to remove the firewall rules that were applied to the .htaccess file by the plugin, you can follow the steps below.
If you already have a current backup of the .htaccess file (the “htaccess_backup.txt” file) on your computer, you can follow the steps above to rename it to .htaccess. If you don’t have a current copy then you can login via FTP (or the Control Panel’s File Manager) and download the working copy.
Either way, follow the steps below to modify the .htaccess file and remove the firewall rules:
1. Open the .htaccess file with a text editor. If the file does not have a .txt extension (which it shouldn’t at this point), you may have to open the text editor first and use the File >> Open… command, rather than double-click the file.
2. Locate the “# BEGIN All In One WP Security” and “# END All In One WP Security” lines and remove all lines in between (and including) those lines.
3. Save the file.
4. Upload the file to the server (via FTP or File Manager) and overwrite the existing file.
Explore the other features of the All in One WP Security Plugin
At this point you will know how to keep the .htaccess file secure and restore it if the need were to arise. You can do a very similar thing with the important “wp-config.php” file as well. The tab to backup, restore, and view this critical file is next to the .htaccess tab on the plugins settings page. The operations are very similar to what we discussed about the .htaccess file security.
Common “tweaks” that are suggested regarding the WordPress installation are taken into consideration using this plugin. The more recommended changes that are made, the more secure the site ends up being, and the higher the Security Strength Meter rises in the the WP Security Dashboard.
Aside from the .htaccess and wp-config.php file security discussed, the plugin addresses WP Meta Info, user accounts (default admin user name and display name), user login settings, database security (auto-backups and table prefix), filesystem security (permissions), and more.
Also, if you find a particular IP address is showing up often in the security reports and logs (like comment spammers), you can use the built in WHOIS Lookup tool to gain more detailed information about the IP address. Then you can decide to add offending IP addresses to the blacklist so that they can no longer visit the site. Commands will be added to the .htaccess file as the first line of defence against the attackers and spammers. These people are just wasting valuable resources and pose a threat to the security of your web site, and in many cases, your income as well.