Improve the security of our WordPress with .htaccess – .com

In this tutorial we are going to see how to improve the security of our WordPress sites through the .htaccess file.

What is the .htaccess file?

The .htaccess file is a configuration file used in Apache-based web servers. This file may contain one or several lines of code that will allow us to define various configuration directives that will be applicable in the directory where the file is located, as well as in the subdirectories that hang from it.

Thanks to this file and the code that it can include, we will have the possibility to customize our error pages, perform SEO-optimized redirections or specify security restrictions to prevent unauthorized access to the directories and files of our site.

It is important to underline that the .htaccess file will only be available on Apache based servers. Ngnix web servers do not use this file. If we wanted to use these same rules or directives on said server, we would have to transform them so that Ngnix could interpret them.

WordPress, security and .htaccess

WordPress is a very secure CMS, in fact it is more secure than other CMSs that we can find. However, when we talk about security, nothing is 100% reliable since not only the tool itself comes into play, but also the settings and how we use it.

If the server where our installation is running is based on Apache, we can use specific directives in our .htaccess file to improve the security of our website and protect certain directories and files in such a way that we block unauthorized access. We can also, among other things, deny access to some unwanted bots, filter by IPs, or avoid directory listing.

The .htaccess file is usually located in the main folder or root directory of our site, although there may also be more in other folders that could overwrite some directives used in the .htaccess of the main directory.

See also  Social Media Consultant |

In this tutorial we are going to see some codes that we can add to the .htaccess of our root directory so that we make our installation more robust in terms of security. And if you want to learn even more, take a look at the class Let’s get to it!

Modify .htaccess to make WordPress more secure

To modify the .htaccess file we have to locate it first, so we are going to go to the root folder where we have WordPress installed. As we have said, we can have other .htaccess files in other folders of our installation.

In this case we will comment on some directives or code fragments that we can place in the file located at the root of our site, but we could also use specific directives in the .htaccess that we place in other directories.

If you want to know more about this topic, in it you will learn in a very practical way methods and tools to make WordPress more secure and better shield it against threats.

Well, now that we are finally at the root of our installation, it is likely that we will not see the file. This is because it is a hidden file, hence it starts with a period. To make it visible we will have to adjust the configuration to show hidden files. If we use it, we can enable this option in the “Server/Force show hidden files” menu.

Once we have located our file, we will make a backup copy of its content for what may happen since a configuration error could leave us without access to our page, and we would have to replace the content of the .htaccess file.

With the copy already made, it is time to open our file to start adding the code snippets that we are going to need. By default, the .htaccess file usually contains a few configuration lines for WordPress permalinks:

See also  How to use the metatag "robots" - .com

# BEGIN WordPress RewriteEngine On RewriteBase / RewriteRule ^index\.php$ – RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php # END WordPress

We can add the code that we need just below them and save it to test the different modifications that we make.

A very useful piece of code that we could use is the one that blocks access to the wp-config.php file. This file is very important since it stores the access credentials to the database of our site, username and password. To protect our file and prevent unauthorized access we could use the code that we will see below. If we add it to our .htaccess and try to access wp-config.php, the browser will throw us an unauthorized access message.

#Block access to wp-config.php file Order Allow,Deny Deny from all

Another thing we can do to shield our installation is to restrict access to the login page to the IPs that interest us. To use this directive we would simply have to change the IP that appears for your IP. Take into account here if your IP is variable and not fixed, or if you connect from different locations, since in this case access will only be allowed to the IPs that we specify here.

# Allow access to wp-login.php only from our IP Order Allow,Deny Deny from all Allow from 127.0.0.1

In addition to these rules, we could add others like the ones we see below that are used to block direct access to files with a .php extension that are found inside the plugins and themes folders of our installation:

#Deny the execution of php files inside the themes and plugins folders. RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/ RewriteRule wp-content/plugins/( .*\.php)$ – RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/ RewriteRule wp-content/themes/(.*\.php)$ –

See also  2063. Launching a read book with Álex Martínez Vidal - .com

Let’s see how it works in this case. Suppose we have the TwentyTwelve theme installed and add the above directives to our .htaccess file. If someone tries to open any of the php files found in the theme directory, for example by running the line “https://your-domain.com/wp-content/themes/twentytwelve/header.php”, the server will respond by throwing a 404 error.

In addition, by modifying the line we could vary the behavior and cause a different error code to be displayed, be it a 401 that would communicate unauthorized access, a 403 for unauthorized access or others that we deem appropriate.

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/ RewriteRule wp-content/plugins/( .*\.php)$ – RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/ RewriteRule wp-content/themes/(.*\.php)$ –

You see, there are several possibilities. These are just some of the modifications that you can put into practice to shield your WordPress and achieve a more secure website.

Summary and conclusion

An .htaccess file is a special configuration file that allows you to include various rules or directives to customize error pages, perform redirects or define access restrictions that help us improve security in WordPress.

Through small code fragments that we will use in our .htaccess we can, among other things, block access to certain directories or files, filter by IPs, avoid directory listing or prevent direct access to certain php files as we have seen above. throughout this tutorial.

And you already know, if you want to improve the security of your website, take a look at what we have available at , in which we see not only how to modify .htaccess but also others, as well as various plugins. Also if you subscribe you will have immediate access to security and many other topics 🙂

Loading Facebook Comments ...
Loading Disqus Comments ...