.htaccess codes to secure your WordPress site
14/11/2012 | 5 Comments
As WordPress is now so popular many people know the structure of a WordPress install and know where to look to discover what plug-ins you may use or any other files that might give away too much information about your site.
Why should you use the .htaccess file to secure your WordPress site? The answer is very simple – .htaccess files are processed first before any other code on your website. In other words, if you can stop hackers injecting malicious scripts before those scripts even have a chance to reach the php coding in WordPress, you’re doing a good job.
Ehr, .. the .htaccess File? WTF?
The .htaccess file is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn “loaded via the Apache Web Server”, then the .htaccess file is detected and executed by the Apache Web Server software.
But before I begin, as always, a word of warning ..
Note: it might be a good idea to make a backup of your .htaccess first. If the shit hits the fan, you can always replace the ‘new’ .htaccess with the original one. The .htaccess can lock you out of your domain (including tools like FTP and cPanel) so make sure that you know what you are doing.
First protect the .htaccess file!
First thing you want to do, before spending some time protecting your site, is to lock the .htaccess file itself! The following hack prevents external access to any file starttng with “.hta”
<Files ~ “^.*\.([Hh][Tt][Aa])”> order allow,deny deny from all satisfy all </Files>
Better still, you can rename the .htaccess to any other name you like:
# rename htaccess files AccessFileName ht.access
In the last example the file “.htaccess” has been renamed to “ht.access”.
Protect wp-config.php
The wp-config.php file in your WordPress installation contains some real important secrets, like database name, database username and password etc., so you don’t want this file to fall into the wrong hands. In your .htaccess add the following to prevent any access to the wp-config.php file:
<Files wp-config.php> order allow,deny deny from all </Files>
No directory browsing
Typically a server is setup to prevent directory listing, but sometimes they are not. If your server is not, you will have to become self-sufficient and fix the problem with htaccess:
You can put in a minus sign (in front of ‘Indexes’) to prevent directory listing entirely. This is typical of most server setups and is usually configured elsewhere in the apache server, but can be overridden through the use of htaccess.
# directory browsing Options All -Indexes
If your server is setup to prevent directory listing and you want your directories to be listed then you could simply put this into the htaccess file (put a plus sign instead of the minus sign):
# directory browsing Options All +Indexes
What if you wanted the directory contents to be listed, but only the HTML pages and not the images?
# directory browsing IndexIgnore *.gif *.jpg
This would return a list of all the files except those specified in the above example.
Blocking IP Addresses
In case you are aware of any IP address that is creating problems with your network then you can block the same using the below code:
<Limit GET> order allow,deny deny from xxx.xxx.xxx. deny from yyy.yyy.yyy.yyy allow from all </Limit>
This is an example of a .htaccess file that will block access to your site to anyone who is coming from any IP address beginning with xxx.xxx.xxx and from the specific IP address yyy.yyy.yyy.yyy
By specifying only part of an IP address, and ending the partial IP address with a period, all sub-addresses coming from the specified IP address block will be blocked.
Admin access from your IP only
As mentioned above you can limit who can access your admin folder by IP address. The following snippet denies access to the admin folder for everyone, with the exception of your own IP address, but please note if you have a dynamic IP, you might have to regularly alter this file otherwise you will be denied access yourself!
order deny,allow allow from yyy.yyy.yyy.yyy deny from all
Of course you’ll need to replace yyy.yyy.yyy.yyy with your IP address.
Disable the server signature
Server signatures contain valuable information about installed software and can be read (and exploited) by worms and hackers. Using this code snippet will hide that information.
# BEGIN Disable the server signature ServerSignature Off # END Disable the server signature
Disable Hotlinking of images with a custom warning image
Do you hate it when someone uses your bandwidth to hijack your image URLs to use on their own site? Then this is the solution for you. Add this to your .htaccess file, create a warning image/message ‘get-your-own.jpg’ and upload it to the fist level of your sites root folder.
# BEGIN Disable hotlinking of images with warning message
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
#RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/get-your-own.jpg [R,L]
# END Disable hotlinking of images with warning message
Note: yourdomain.com must be replaced with your blog’s URL (without www). Also, http://yourdomain.com/get-your-own.jpg is the URL of the image you want to display on the website which is hotlinking to your images.
Stop SPAM comments
Like hotlinking, spammers are notorious to use up your site’s resources. There are a number of ways to identify a potential spammer, one of them is to detect requests with ‘no referrer’ (Spammers use bots to post comments on blogs).
# BEGIN Protect from spam comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
# END Protect from spam comments
Don’t forget to rename yourdomain.com with your blog’s URL (without www).
Protect our WordPress blog from scripts injection
Adding the following codes you can protect your blog from script injection and any type of modification of PHP GLOBALS and _REQUEST variables.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
This list of snippets is by no means exhausted, there are a number of other things you can do to protect your site via .htaccess. If you think I forgot a important .htaccess snippet, I hope you’ll let us know in the comments?
Gonna try some of these out. I guess there is no such thing as ‘too secure’ on the www.
I do wonder, however, with the WP constant efforts to secure the system and keep up with the ‘bad guys’, are these kind of hacks still relevant as much as they used to be?
Hi Caparico,
.. thanks for your comment! A lot of these snippets are meant to secure your WP site if your host doesn’t have built-in security in a apache envoriment (most of all host have this). The problem is that hackers are always smarter tham the WP developers. so using these makes your site extra safe! Have a great weekend, cheers & ciao!