Latest News

How To Secure Your WordPress With .htacess File

There are several ways of making your WordPress secure (using WordPress best practices, security plugins, content delivery networks…) and configuring your .htaccess is just one of them, the one that belongs to the domain of prevention.
Configuring .Htaccess
.htacess is a configuration file that allows you to override your server’s global settings for the directory that it’s in, by limitting file access.

There’s a couple of ways you can access it:
  • Find it in the root of your website
  • Edit it using WordPress SEO plugin by Yoast
Here’s a piece of code generated by WordPress and you’ll find it in almost every .htaccess file:

# BEGIN WordPress
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Anything else you decide to apply to harden WordPress security should be added after this.

Protect Wp-Config.Php :
WordPress best practices suggest you protect your wp-config.php file and you can do that by adding:

<files wp-config.php>
order allow,deny
deny from all

Prevent Directory Browsing :
You know how you can change a few characters in a URL and continue browsing the website. With this code you’ll prevent any directory browsing

# directory browsing
Options All -Indexes

Disable Any Hotlinking :
Sometimes other (non-ethical) site curators will try to use your images and videos and put a strain on your serves, which uses your disk space and bandwidth. While this is not in the domain of WordPress security, it will certainly help your website’s overall health. Adding this to your .htaccess will prevent hotlinking from happening:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?YourDomain [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

note: Be sure to change “YourDomain” with your domain address and leave out the “www” part

If you need to allow certain websites to use your images, then you can use this online tool for generating the anti hotlinking code where you can define various parameters.

Protect /Wp-Content Directory :
WordPress holds all your media files in here and they’re an asset you want search engines to crawl. But, “/wp-content” is a place where your themes and plugins reside, too. You don’t want to allow access to those sensitive .php files.

In order to work you need to create a separate .htaccess file (just use your FTP client and create a file with no name and give it an “.htaccess” extension) and put it in your /wp-content directory. This code will allow access to images, CSS, java-script and XML files, but deny it for any other type.

order deny,allow
deny from all
<files ~ ".(xml|css|jpe?g|png|gif|js)$">
allow from all

That’s it. Your WordPress website should be a lot safer place now. There’s just one last thing we should do and that’s protecting the .htaccess file(s).

Protect The .Htaccess Itself :
We’ve done a lot to protect WordPress, but the .htaccess file itself is still open to attacks. The following code snippet will stop anyone from accessing (reading or writing) any file that starts with “hta“.

<pre><files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

While you can install various WordPress security plugins, sign-up for monitoring services and content delivery networks which filter your traffic, configuring .htaccess file so it strengthens your WordPress security is a good step toward that peace of mind every website owner needs.

Prevention is often the best cure. 

Note: Making changes to .htaccess should be pretty relaxing job, but if you use plugins (ex. WordPress SEO) for configuring .htaccess, please make sure to also have FTP credentials, just in case you need to directly access and reconfigure it.

No comments:

Post a Comment


Powered by Blogger.