Need help? Chat now!

Hostwinds Blog

Search results for:

Step up WordPress Security with These .htaccess Tips Featured Image

Step up WordPress Security with These .htaccess Tips

by: Hostwinds Team  /  March 24, 2017

There's a single file that can give you the incredible power of how your WordPress site functions and how secure it is – your .htaccess file. Understanding the different commands available to use and how to use them can help you do everything from increasing WordPress security, setting up basic redirects, restrict files, or password protect specific content. This guide will show you the possibilities and .htaccess tips and tricks to get you started.

Use these simple .htaccess tweaks to block hackers and increase your WordPress security today. Click To Tweet.

Note: Always keep backups up to date.

What is .htaccess?

.htaccess stands for hypertext access. For WordPress sites, it's automatically created when you choose to change the settings for your permalinks. But it's typically hidden, meaning you won't automatically be able to see it when viewing your site's files. You can change this in your cPanel's File Manager.

Just click the Settings button in the top right corner, and in the box that comes up, put a checkmark for Show Hidden Files (dotfiles), then save.

How do I create a .htaccess file?

In some cases, you may not even have a .htaccess file yet. If that's the case, use Notepad or your favorite text editor to create one. Please make a new file and name it htaccess.text

Assuming your site is running on WordPress (a standard installation, not Multisite or anything), it's best to add something in this file right now. Put the following in the file and save it:


BEGIN WordPress

``RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] # END WordPress`

Now upload this file to your site's root directory and then rename it to .htaccess (Sometimes you can name it that to start with, but many times your server won't let you do that… so this is a workaround).

Next, you'll want to make sure the file has the correct permissions. Set the permissions on this .htaccess file to 644. In File Manager, you'd right-click it to do this and get started with these .htaccess tips.

Word of warning about editing .htaccess files

Before you go any further, you should know what one tiny mistake in this file can end drastically. It could even completely break your site. And we're talking about something as small as one syntax error. Please don't let this stop you from learning how to tweak this file, though. Just make sure you have backups ready to roll should anything go wrong (both your site and your current .htaccess file). Simple as that.

Now we can start tweaking this file to add functionality and security to your WordPress site. Anything that you add should be before or after the code we added above.

Note: The number sign # is used at the beginning of lines to make comments. Anything on that line isn't considered code and serves only as reminders to keep everything organized and clean.

Note: Do one change at a time and refresh your site between each change to make sure nothing breaks. This way, if something goes wrong, you know exactly which line of code needs to be fixed.

How to open and use these .htaccess Tips

To get started, to go cPanel > File Manager > public_html

If you have multiple sites, then you'll also need to double-click the folder for the site you want to work with.

Find the .htaccess file and right click it and click Edit.

Note: You may get a pop-up box about encoding, just ignore it and click the edit button

Protect your .htaccess file from hacks

The first thing you should do is protect your .htaccess file and while we're at it, add protection for wp-config.php, php.ini (or php5.ini) and error logs. Simply add this code to the .htaccess file:

<FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all

Note: Check to see if you have php.ini or php5.ini and use the appropriate file name in the code above.

Disable folder browsing

Now let's disable folder browsing. Anyone can type your domain and a directory into the address bar and see everything in there. With WordPress, that's easy to do since all WordPress sites have the same default structure. It's like hiding your favorite candy from the kids, then putting a sign on the fridge that tells them where it's at. So let's stop any potential hacker from being able to access a straightforward layout of everything on your site:

# disable directory browsing

Options All -Indexes

Block Username Enumeration

Username Enumeration is when a hacker gets the username of authors on your site. However, this might not sound like a big deal. This is one of the under-used .htaccess tips for security. If they know the username associated with the account, then that's just one more minor obstacle for them to get in. It's easy for them to do this, too.

All they have to do is put /?author=1 at the end of your domain in the address bar. Then they're taken to the author page for that user, which shows that author's username.

Don't allow this by adding the following code:

RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

Hackers can easily find your WordPress username - use these two lines of code to stop them in their tracks! Click To Tweet

Prevent access to important files in the wp-includes directory Your wp-includes directory can often become a target since there are very important files here needed to run any WordPress iste. Let's prevent would-be hackers from accessing it with the following code:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

Restrict access to important PHP files

You can add the following code to prevent direct access to editing PHP files in your themes and plugins, making it harder for would-be hackers to add malicious code to them:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ – [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]

Prevent script injections

Next, let's stop them from being able to insert script injections, which are normally done through _REQUEST and GlOBALS, by adding the following code:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

By adding all of these to your .htaccess file, you're putting up many obstacles hackers will have to overcome to mess with your site. But tweaking your site with these .htaccess tips is just one of many ways to increase your WordPress site security. There are tweaks you can make to your wp-config file, or you can add security plugins. If you want to keep going, here are 20 things you can do to increase WordPress security.

What do you do to protect your WordPress sites? Are there any other .htaccess tips you have that aren't listed here?

And of course, if you've found this helpful, please share!

Written by Hostwinds Team  /  March 24, 2017