March
24
0 likes
0 comments
0 shares

Step up WordPress Security with These .htaccess Tips

Header image for WordPress security tips using htaccess

Header image for WordPress security tips using htaccess

 

There’s a single file that can give you incredible power of how your WordPress site functions and how secure it is – your .htaccess file. Understanding the different commands available to use and how to use them can help you do everything from increasing WordPress security, setting up basic redirects, restrict files or password protect specific content. This guide will show you the possibilities and .htaccess tips and tricks to get you started.

 

Use these simple .htaccess tweaks to block hackers and increase your WordPress security today Click To Tweet

 

Note: Always keep backups up to date. Here’s a guide to some of the best WordPress backup plugins to help.

 

What is .htaccess?

.htaccess stands for hypertext access. For WordPress sites, it’s automatically created when you choose to change the settings for your permalinks. But it’s normally hidden, meaning you won’t automatically be able to see it when viewing your site’s files. You can change this in your cPanel’s File Manager.

Just click the Settings button in the top right corner and in the box that comes up, put a check mark for Show Hidden Files (dotfiles), then save.

 

Showing where to show hidden files in cPanel

 

How do I create an .htaccess file?

In some cases, you may not even have an .htaccess file yet. If that’s the case, use Notepad or your favorite text editor to create one. Make a new file and name it htaccess.text

Assuming your site is running on WordPress (a normal installation, not Multisite or anything), it’s best to add something in this file right now. Put the following in the file and save it:


# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

 

Now upload this file to the root directory of your site and then rename it to .htaccess (Sometimes you can simply name it that to start with, but many times your server won’t let you do that… so this is a workaround).

Next you’ll want to make sure the file has the correct permissions. Set the permissions on this .htaccess file to 644. In File Manager, you’d just right click it to do this and get started with these .htaccess tips.

 

Word of warning about editing .htaccess files

Before you go any further, you should know what one tiny mistake in this file can end drastically. It could even completely break your site. And we’re talking something as small as one syntax error. Please don’t let this stop you from learning how to tweak this file, though. Just make sure you have backups ready to roll should anything go wrong (of both your site and your current .htaccess file). Simple as that.

 

Now we can start tweaking this file to add functionality and security to your WordPress site. Anything that you add should be before or after the code we added above.

 

Note: The number sign # is used at the beginning of lines to make comments. Anything on that line isn’t considered code and serves only as notes to keep everything organized and clean.

 

Note: Do one change at a time and refresh your site between each change to make sure nothing breaks. This way, if something goes wrong you know exactly which line of code needs fixed.

 

How to open and use these .htaccess Tips

To get started, to go cPanel > File Manager > public_html

If you have multiple sites, then you’ll also need to double click the folder for the site you want to work with.

Find the .htaccess file and right click it and click Edit

 

Showing how to access and edit the .htaccess file in WordPress for better WordPress security

 

Note: You may get a pop up box about encoding, just ignore it and click the edit button

 

Showing the code warning that sometimes shows when opening .htaccess file in cPanel

 

 

Protect your .htaccess file from hacks

The first thing you should do is protect your .htaccess file and while we’re at it, add protection for wp-config.php, php.ini (or php5.ini) and error logs. Simply add this code to the .htaccess file:

 

<FilesMatch “^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$”>
Order deny,allow
Deny from all
</FilesMatch>

 

Note: Check to see if you have php.ini or php5.ini and use the appropriate file name in the code above.

 

Disable folder browsing

Now let’s disable folder browsing. Anyone can type your domain and a directory into the address bar and see everything that’s in there. With WordPress, that’s easy to do since all WordPress sites have the same default structure. It’s like hiding your favorite candy from the kids, then putting a sign on the fridge that tells them where it’s at. So let’s stop any potential hacker from being able to access an easy layout of everything on your site:

 

# disable directory browsing
Options All -Indexes

 

Block Username Enumeration

Username Enumeration is when a hacker gets the username of authors on your site. This might not sound like a big deal, this is one of the under-used .htaccess tip for security. If they know the username associated with the account then that’s just one less obstacle for them to get in. It’s easy for them to do this, too.

All they have to do is put /?author=1 at the end of your domain in the address bar. Then they’re taken to the author page for that user, which shows that author’s username.

Don’t allow this by adding the following code:

 

RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

 

Hackers can easily find your WordPress username - use these two lines of code to stop them in their tracks! Click To Tweet

 

Prevent access to important files in the wp-includes directory Your wp-includes directory can often become a target, since there are very important files here needed to run any WordPress iste. Let’s prevent would-be hackers from accessing it with the following code:

 

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>

 

Restrict access to important php files

You can add the following code to prevent direct access to editing php files in your themes and plugins, making it harder for would be hackers to add malicious code to them:

 

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]

 

Prevent script injections

Next, let’s stop them from being able to insert script injections, which are normally done through _REQUEST and GlOBALS, by adding the following code:

 

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

 

By adding all of these to your .htaccess file, you’re putting up a bunch of obstacles hackers will have to overcome to mess with your site. But tweaking your site with these .htaccess tips is just one of many ways to increase your WordPress site security. There are tweaks you can make to your wp-config file or you can add security plugins. If you want to keep going, here are 20 things you can do to increase WordPress security.

What do you do to protect your WordPress sites? Are there any other .htaccess tips you have that aren’t listed here?

And of course, if you’ve found this helpful, please share!

Share:

LEAVE A COMMENT





This site uses Akismet to reduce spam. Learn how your comment data is processed.