10 Security Tips with .htaccess in WordPress

Hosting Mautic QuickStart -50% with support in Spanish
24 hours and free training

Send up to 1,000,000 emails/year. Mautic Support in Spanish 24 hours, 365 days

That your website is affected by attacks, hacks or infections is not fun or pleasant and ends up reverting to the technical support of your hosting, so keeping in mind what you can do as a user and administrator of WordPress sites can alleviate this pressure and improve WordPress security.

The file .htaccess WordPress in your website directories, is a configuration file that can be used to override web server settings (if it allows it).

In this article we show some simple changes that can be carried out in WordPress using the .htaccess file to increase the security of the site.

With the right codes it is possible to enable or disable additional functionalities and features to protect your site from spammers, hackers and other threats.

Some of these features include basic redirects, blocking external access to specific files, or using more advanced features such as password-protecting content or preventing misuse of website images on external sites. (hotlinking).

Important: Article updated on 11/11/2020

Configure the .htaccess file

Apart from the use of plugins, there are a number of improvements that can be made to the .htaccess file, and together with the use of the right plugins and regular updates, security will be enhanced by adding an extra level of protection. to the one implemented by the server itself.

The typical minimum .htaccess file that any WordPress installation should include by default is:

# BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index.php$ – RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php # END WordPress

Note that any additions to this file should be done “after” # END WordPress and never before.

This would ensure that none of the .htaccess based WordPress features are broken. Before making any changes to the .htaccess file it is highly recommended to make a backup.

Edit the .htaccess file in WordPress

When permalinks are enabled in WordPress, an .htaccess file is automatically created in the root directory of the site.

When WordPress writes an .htaccess file, it always appends the data between # BEGIN WordPress and END WordPress. The pound character # means that these lines are comments and will not affect the configuration.

These files are powerful and a syntax errorsuch as forgetting an opening or closing < character, can leave your site inaccessible, so it's important to back up your .htaccess file before making any changes to it.

Some operating systems do not allow you to create an .htaccess file so the easiest way to do it is:

1. Use Notepad or a similar plain text editor (Notepad ++) to add the necessary commands.
2. Save the file as a txt file, for example: htaccess.txt
3. Upload the file to your site in the appropriate folder.
4. Once uploaded, rename the htaccess.txt file to .htaccess

Protect the wp-config.php file

One of the most important files in your WordPress installation is the file wp-config.php.

This file is located at the root of your WordPress archive directory and contains your site’s database configuration details, and WordPress security keys and database connection information. This information, of course, is sensitive and anyone who accesses it may end up affecting your site.

The best way to protect this file is by adding the following code snippet to the .htaccess file:

order allow,deny deny from all

Of course, even with this protection, this file will still be accessible via FTP, WePanel, etc.

Prevent access to the wp-content folder

The wp-content folder contains images, themes, and plugins and is a very important folder within your WordPress installation, so it makes sense to prevent unauthorized access to this folder.

This requires adding hints to the .htaccess file that allow users to view images, CSS, etc., but protect important PHP files:

Order deny,allow Deny from all Allow from all

Disable HTTP TRACE and TRACK

TRACE Y TRACK are HTTP methods, they are default features of most Apache web servers used for debugging purposes. However, these methods can end up compromising the security of your WordPress site, since there are some attacks such as Cross Site Tracing (XST) Y Cross Site Scripting (XSS)which can steal cookies and many other sensitive information from your web server.

Fortunately these methods can be easily disabled by placing the following lines of code in the .htaccess file at the root of your Hosting:

RewriteEngine on RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* –

Avoid directory browsing

Protecting WordPress directories is important and security by obscurity in this case is justifiable. That is, it tries to hide these folders from view, which prevents unauthorized people from browsing through the directories.

This is a good practice to avoid the directory browsingalong with the application of other measures focused on protecting your site.

To disable directory browsing you must add this in the .htaccess file:

# Directory Navigation Options All -Indexes

Avoid Hotlinking

The Hotlinking or bandwidth theftoccurs when the images or files of your articles or post are linked to articles and/or posts on a different server, normally external and unrelated to you, where the bandwidth consumed is yours.

By adding this code to your .htaccess file you will avoid being a victim of hotlinking:

RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www.)?your_domain.com/.*$ RewriteRule .(gif|jpg)$ http://www.your_domain.com /hotlink.gif

Note Change “your_domain.com” to the real name of the domain you use on your website.

You will need to change the image hotline.gif to the name of the image file you want to display on your server that explains that hotlinking is disabled on your site.

Restricts access to the administration area (dashboard)

There are many ways to protect access to the WordPress dashboard (/wp-admin directory), some of which we have explained in this blog, in other articles.

An easy way to restrict access if your Internet connection uses a fixed IP address and you always access your site from the same place is by creating a new .htaccess file with the following snippet in the folder /wp-admin:

order deny,allow allow from 202.108.5.1 deny from all

Note Change the IP address to which you want to allow access to your website or to your own IP address (you can find out your IP address at ).

This will allow you to access the administration area of ​​your site, blocking all other attempts to access this folder from other IPs.

Additionally, you can add the IP address of other administrators of your site, or even of other places from which you usually connect, taking into account that it is not recommended to add dynamic IPs for security reasons.

Bans access to unwanted IPs

If you use extensions like Wordfence that allow you to see which IPs persistently and constantly try to access your site, mainly the /wp-admin dashboard to launch a brute force attack, you can ban these IPs using the following code in the . htaccess:

order allow,deny deny from 202.090.21.1 allow from all

Note Change the IP address for which you want to block access to your website.

This code will prevent the aforementioned IP from accessing your site again. You can also add more IPs by replicating the deny from line, for example:

order allow,deny deny from 202.090.21.1 deny from 211.190.151.122 allow from all

Note Change the IP address for which you want to block access to your website.

Protect the .htaccess file

It does not make sense to apply additional protections to folders, etc., but the .htaccess file itself is protected, since this file is often targeted by attackers to invalidate other additional protections.

When someone tries to access your .htaccess file, the server automatically generates a error 403, Forbiddeneven with default file permissions.

Protecting it is easy by implementing the following code in the .htaccess file in the main WordPress site folder:

order allow,deny deny from all

BONUSES. Avoid SPAM in comments from .htaccess

You can avoid SPAM in the native WordPress comment form, coming from visits without HTTPS header (without URI), common from spam bots, by adding the following code in your .hatccess file:

RewriteEngine On RewriteCond %{REQUEST_METHOD} POST RewriteCond %{REQUEST_URI} .wp-comments-post.php* RewriteCond %{HTTP_REFERER} !.*domain.com.* RewriteCond %{HTTP_USER_AGENT} ^$ RewriteRule (.*) ^https: //%{REMOTE_ADDR}/$

Note Change “domain.com” to the actual domain name you use on your website.

conclusions

Editing your existing .htaccess file or creating new ones for subdirectories can increase the security of your site. Still, it’s good to use the tips in this article to complement other security measures you have in place on your WordPress site.

This article arose as a result of the article written by Raelene Wilson “5 Simple .htaccess Tips to Tighten Your Site’s Security”, improved and expanded based on the experiences in , in the daily support to our clients.

Do you want to deepen the use of the file .htaccess in WordPress?

Recommended reading:

Additionally, if you want to analyze the security of your current WordPress installation to know what points to improve, an interesting option is to use the plugin Acunetix WP Securitywhich we talked about in another article on this Blog.

Help us improve our content by sharing your opinion

Member of the technical support team of .
Content Coordinator on the Blog and Youtube.
Technical support in CiberProtector. Teacher at University