How To Secure WordPress With HTACCESS

WordPress is the world's most popular CMS with over 22% of websites using it, but do you know how secure it is to install?

In this article, I am going to show you how to secure WordPress with htaccess.

If you're wondering why you should choose WordPress for your website here are some reasons:

  • huge selection of themes
  • has a large active community
  • regular fixes/updates

However, being so popular comes with a cost... WordPress is the number one target for most online attacks.

So How Can You Protect Your WordPress Site?

Plugins are certainly one way to protect your WordPress website.

One of your jobs, like everyone else's who uses WordPress, is to keep your site safe from people you don't want to have access to it (i.e. hackers).

There are numerous plugins to help implement security for WordPress, plugins like Login LockDown which logs the IP and locks it after a certain number of failed login attempts to the wp-admin.

Another option is the WP Security Scan plugin which scans your WordPress site for vulnerabilities and suggests possible methods for fixing any flaws it may find.

There are many security plugins you can use to increase the security of your WordPress website, in addition to plugins there are other ways to keep your WordPress site secure, such as constantly updating to the latest version (many people are still on older versions), which ensures you have the latest security patches and fixes for WordPress

In addition, remember to delete the readme.html and license.txt files to prevent them from seeing the version of WordPress you have installed.

Another good way to secure your WordPress is by using the .htaccess file, which is exactly what I will show you in this article.

Securing WordPress With htaccess

Apart from the plugins, there are a number of settings you can make in your .htaccess file so that together with the plugins and constant updates you can strengthen your WordPress site security and give it an extra level of protection.

I'm going to share with you some of the settings that I find most helpful to protect essential elements of your WordPress site

I'll show you how and where to add them, but keep in mind that you don't have to use all of them, you can use only the ones that you feel will appropriate to your WordPress site.

Let's start with a typical WordPress .htaccess file:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

The .htaccess file should be located in the document root for your WordPress site.

For example, using Farbyte shared web hosting, this would typically be your public_html directory.

Any settings you add to the .htaccess file should be placed below the last line of code "#END WordPress" to keep everything tidy.

Before making any changes to the file, please make sure to take a backup of your .htaccess file in case something goes wrong.


1. Protect wp-config.php

The wp-config.php file is one of the most important files for your WordPress website.

In it you have the connection data to your database, obviously, you do not want anyone to see that file!

To prevent access to it you just have to add the following code to your .htaccess file:

<Files wp-config.php>
order allow,deny
deny from all

This blocks access to anyone from the browser.

2. Limiting wp-admin Access

You can limit access to the WordPress admin panel by IP, i.e. you can indicate which IP can access the wp-admin, for this you need to create a new .htaccess file and upload it to the wp-admin folder, the file needs to have this code:

order deny,allow
allow from [YOUR IP]
deny from all

This code blocks access to all the IPs in the world and only allows access to the IP that appears in allow from.

Remember to place your public IP where it says [YOUR IP].

Also, note that if you have a dynamic IP you will have to modify this file constantly to place the new IP or you will be denied access.


3. Block Directory Browsing

Due to the popularity of WordPress, many people know the WordPress directory structure and know where to look to find out which plugins you are using or any other files that might give away information about your website.

For example, the structure of uploaded files in WordPress is /wp-content/uploads/year/month/file.

If you access the URL of the directory just /wp-content/uploads/year/month you may see all the uploaded files in that directory.

All Farbyte shared hosting accounts are automatically protected from this attack, but if you're using another hosting provider, or setting up your own virtual server, one way to work around this is to use the following code in your .htaccess file:

# directory browsing
Options All -Indexes


4. Block Access To The wp-content Directory

The wp-content directory contains images, templates and plugins, which are very important files for the proper functioning of your WordPress.

So it makes sense to prevent hackers from accessing the PHP files in this directory, the other files can and should be viewed.

Create another .htaccess file in the wp-content directory & add the following code:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all

This code blocks access to wp-content content for everyone & only allows access to files with the extensions indicated.

If you have files with other extensions that you want to be viewable (such as .pdf files) just add the extension to the list between the brackets (e.g. |pdf).


5. Protect The .htaccess File

Although it sounds strange, of course, .htaccess is supposed to protect our WordPress site, but what about the htaccess itself?

People spend so much time worrying about having the best security plugins installed that they overlook the fact that the .htaccess file is open to attack.

To protect our htaccess file we will paste the following code into our .htaccess file, i.e. .htaccess protects itself:

<Files ~ "^.*.([Hh][Tt][Tt][Aa])">
order allow,deny
deny from all
satisfy all

This code blocks all people from accessing files that start with .hta, this will help make the .htaccess file a little more secure.



That about wraps up our WordPress htaccess security article.

If you implement at least one or two of these tips, you'll have a much more secure WordPress website.

Keeping WordPress secure is the number one priority for the safety of your website data.

At Farbyte we offer both managed WordPress VPS & UK WordPress hosting solutions.