WordPress is a popular, free content management system used by thousands of people around the world to create websites. This article includes useful security tips to show you how to secure your WordPress website using the .htaccess file which is used by apache web servers to control how your website works.
You can also use plugins to secure and protect your website. For this article, we will be focusing on using the .htaccess file to help you protect your website from hackers.
What Is A .htaccess File
A .htaccess file is normally located in the public_html directory of a website and used by apache web servers which is used by a majority of servers to run websites. The .htaccess file basically allows you to make changes to your website’s configuration without having to edit the server configuration files.
What Can The .Htaccess File be Used For
The .htaccess file can be used to do a number of different things including
- Enhance the security of your website to protect it from hackers using .htaccess rules
- Improve the speed of your website
- Load custom error pages, like 404 pages
- Force your site to use HTTPS instead of HTTP
- Prevent hotlinking
Where Can I Find The .Htaccess File
The .htaccess file is located in the root directory of your WordPress site. Depending on your hosting provider, the root directory will be labeled public_html, www, htdocs, or httpdocs.
You can locate it by using File Manager in your hosting account’s Cpanel
To Access the .htaccess File Complete The Following Steps
- Log into your hosting control panel ( Cpanel )
- Open the file manager
- In the navigation menu on the left-hand side of your screen, click on the public_html folder.
- Look for the .htaccess file which should be located in the public_html directory if you cannot see if the file may be hidden.
- If the file is hidden select the settings option under the file manager
6. A window labeled Preferences should now be displayed
7. Select the box labeled Show Hidden Files
8. You should now see the .htaccess file which you can edit via the file manager.
How Do I Create A .htacess File
Depending on your WordPress installation, you may not have a .htaccess file so before you edit or add security rules to it you may need to create a new .htacess file. The quickest way to create a .htacess file is via your Cpanel hosting file manager.
- Log into your hosting control panel ( Cpanel )
- Open the file manager
- In the navigation menu on the left-hand side of your screen, click on the public_html folder.
- Select the +File button
- Create a file called .htaccess
- Add the default WordPress code noted below to the file you have created
Default WordPress .htaccess File
If you have already installed WordPress and enabled permanent links your .htaccess file will look like this which is the default code included in the .htaccess file as per https://wordpress.org/documentation/article/htaccess/
# BEGIN WordPress
RewriteEngine On
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
Useful .htaccess Security Rules
The following .htaccess security rules will go below the default WordPress rules noted above.
Before making any changes to the file we recommend you make a backup of the .htacecss file first as you can easily take your website offline by adding the wrong rules to the .htaccess file
Prevent Directory Browsing
It’s possible for visitors to see a list of your website directories via a browser as WordPress has a set file structure, anyone visiting your website can view all the files under the wp-content-uploads/ directory
Options All -Indexes
Restrict Access to PHP Files
You can block direct access to your plugin and theme’s PHP files from unauthorized users which is very important from a security point of view
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
Restrict All Access to wp-includes
The wp-includes folder contains only the files that are strictly necessary to run the core version of WordPress – one without any plugins or themes. Remember, the default theme still resides in the wp-content/theme directory. Thus, no visitor (including you) should require access to the content of the wp-include folder. You can disable access using the following code
# Block wp-includes folder and files <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>
Restrict PHP File Execution
The following code will stop PHP files been executed under the /wp-content/uploads/ which is a common directory where hackers try and upload and run PHP files. You will need to create a separate .htacess file and upload it to the /wp-content/uploads/ directory to deny access to PHP files in the /wp-content/uploads/
<Files *.php> deny from all </Files>
Deny Access To The wp-config.php file
wp-config.php is one of the most important files as it contains the database name, access credentials, and other crucial data. To secure the wp-config.php file, you can add the following codes to the .htaccess file. This helps to deny access to the wp-config.php file.
<files wp-config.php> order allow,deny deny from all </files>
Deny Access To The xmlrpc.php file
By default, the XML-RPC file is installed on every WordPress site. This file enables your website to utilize third-party plugins, which outside users often take advantage of to infiltrate your site. If you’re not using any third-party apps, you should disable this feature.
<files xmlrpc.php> order allow,deny deny from all </files>
Protect The .htaccess File
To protect the .htaccess file add the following code to your file.
<files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files>
Disable Author Scanning in WordPress
Author scanning is a common technique used in brute force attacks. Hackers scan your website and try to get the author ID. Next, they crack the password by trying different password combinations and then gain access to your WordPress administration.
The easiest way to block author scanning in WordPress is through the .htaccess file.
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
Protect Your WordPress Admin Area
You can protect your WordPress admin area by using .htaccess to limit IP access to wp-admin. The wp-admin directory contains all the files required to run the WordPress dashboard.
It includes administrative functions, such as installing themes, using plugins or writing posts, etc. Allowing only selected IP addresses access to the wp-admin directory helps protect your WordPress site from hackers.
You need to create a .htacess file and upload it to the /wp-admin/directory of your website. Change the IP address to the computer’s IP address you are accessing the website from. To allow another IP address just add another allow from ip address on the next file
order deny,allow allow from 123.8.83.41 deny from all