Blogging

Useful .htaccess Tips and Tricks for WordPress

The .htaccess file is a configuration file that helps you to control files and folders in the current directory, and all other sub-directories. The filename .htaccess stands for hypertext access and is supported by most servers.

Many WordPress users make use of .htaccess file when they customize their website’s permalink settings. However you can do so much more. The .htaccess file is a powerful configuration file that allows you to enhance your site’s security and performance. In this article, we will show you 9 most powerful .htaccess tricks for WordPress that you can try on your site right away.

Before you start making any change, you need to backup your current .htaccess file) in a cloud storage service like Dropbox or Connect to your website using an FTP client and simply download the .htaccess file to your computer. So that, if something goes wrong, then you can upload the backup file.

If you are not able to access .htaccess file, then make sure your FTP client is set to show hidden files. If you do not have an .htaccess file in your website’s root folder, then you have to create one. Simply create a blank text file and save it as .htaccess. Make sure to name file as .htaccess and not htaccess. Lastly, you need to upload the file to your website’s root folder.

1.     Secure Your WordPress Admin Area

Admin Area Password PRotection

The wp-admin folder contains the files required to run the WordPress dashboard. In most cases, your users don’t need access to the WordPress dashboard, unless they want to register an account. A powerful security measure is to enable only a few selected IP addresses to access the wp-admin folder. You can use .htaccess to secure your WordPress admin area by limiting the access to selected IP addresses only. Simply copy and paste following code into your .htaccess file:

# Limit logins and admin by IP

<Limit GET POST PUT>

order deny,allow

deny from all

allow from x.xx.xx.xx

allow from IP_ADDRESS_2

</Limit>

Replace x.xx.xx.xx with your own IP addresses. If you are using more than one IP address to access the internet, then make sure you add them as well.

2.     Protect Your WordPress Configuration wp-config.php File from everyone

Probably the most sensitive file in your WordPress website’s root directory is wp-config.php file, which contains the database name and access credentials and various other critical data and how to connect to it. And of course, you want to disable public access to the source of all this security – the .htaccess file itself. To protect your wp-config.php file from unathorized access, simply add this code to your .htaccess file:

# Deny access to wp-config.php file

<files wp-config.php>

order allow,deny

deny from all

</files>

3.     Deny Image Hotlinking in WordPress Using .htaccess

When someone uses your site’s image, they can steal you bandwidth by hotlinking images from your website and most of the time, you’re not even credited for it. Normally, this doesn’t concern form most users. But, if you run a popular site with lot of images and photos, then hotlinking can become a major issue. You can stop image hotlinking by adding following code in your .htaccess file:

#disable hotlinking of images in WordPress

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?website.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?otherwebsite.com [NC]

RewriteRule .(jpg|jpeg|png|gif)$ [NC,R,L]

4.     Disable Directory Browsing in WordPress

Directory Browsing

By default, the Apache web server enables directory browsing. That means all files and folders inside the root of the web server are enlist able and accessible by a visitor. With directory browsing enabled, hackers can get into your site’s directory and file structure to find a vulnerable file.

To disable directory browsing in WordPress using .htaccess all you need to do is add this single line in your .htaccess file:

# Disable directory browsing in WordPress

Options All –Indexes

5.     Allow Only Selected Files from wp-content

As you know the wp-content folder contains the all your themes, plugins and media upload. You defiantly don’t want people to access it without restrictions. In addition to denying directory browsing, you can also disable access of all file types, save a few. On the basis of this, you can selectively unblock files like JPG, DOCX, PDF, CSS, JS, etc. and deny from the rest. To do this, paste following code in your .htaccess file:

# Disable access to all file types except the following

  Order deny,allow

  Deny from all

  <Files ~ “.(xml|css|js|jpe?g|png|pdf|gif|docx|rtf|odf|zip|rar)$”>

  Allow from all

  </Files>

6.     Disable PHP Execution in Some WordPress Directories

Hacked WordPress sites usually have backdoor files sometimes. These backdoor files are often disguised as core WordPress files and are present in /wp-includes/ or /wp-content/uploads/ folders. An simple way to increase your WordPress security is by denying PHP execution for some WordPress directories. To do this, paste following code in a blank .htaccess file:

# Deny PHP Execution to all file

deny from all

</Files>

7.     Protect .htaccess From Unauthorized Access

As you have seen that there are a lot of things that can be done using .htaccess file. Due to the power and control it has on your web server, it is necessary that you also protect it from unauthorized access by hackers. To do this, paste following code in a blank .htaccess file:

# Protect .htaccess From Unauthorized Access

<files ~ “^.*.([Hh][Tt][Aa])”>

order allow,deny

deny from all

satisfy all

</files>

You can, still edit the file yourself using FTP and through file manager of your hosting control panel.

Final Words:

Today we’ve learnt some of the coolest .htaccess hacks to secure your WordPress site. We would suggest you to try out each module one by one while creating a backup of the .htaccess file before and after checking each module. This is because the .htaccess file is very sensible. A missing ‘#’ character and misplaced ‘</IfModule>’ could destroy your site’s integrity.

We hope this article helped you learn some of the most powerful .htaccess tricks for WordPress. As you can see, it is a versatile configuration file that can be used for a lot of things.

Be the FIRST to Know - Join Our Mailing List!

Subscribe to our mailing list and get interesting stuff and updates to your email inbox.

Thank you for subscribing.

Something went wrong.

Previous ArticleNext Article
Emma is a WordPress developer by profession and Writer hobby. She works for Wordsuccor Ltd, that is one of the best WordPress design and development services based company in the USA. If you need WordPress Developer for hire you can contact us on Google+, Facebook, and Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Send this to a friend