Just like WordPress is highly SEO friendly out of the box, it is also highly secure. And in the same way a little extra WordPress SEO’ing can go a long way, bumping up the security a bit for the web site is very beneficial. The All in One WP Security Plugin fills the WordPress security gap nicely. A big part of WordPress security involves the .htaccess file that resides in the root of the installation. This plugin helps keep that file safe and secure plus it can add commands to the file to beef up security for the entire WordPress site.
htaccess Firewall Security
Site-wide firewall protection is added for the web site using the .htaccess file. Since the server processes the htaccess file before any other code on the site, it makes sense to put a wall of security up there. This could prevent any malicious attacks from reaching the core web site, plugin, and theme files.
Firewall protection is applied in layers to be sure that it doesn’t tighten the reign too much to prevent the normal functionality of the web site (in terms of the functionality of other plugins, etc). There are basic, intermediate, and advanced settings that can be activated which applies the appropriate commands to the .htaccess file.
The plugin allows for simple backup and restore of the .htaccess file (and wp-config.php file) from within the WordPress dashboard.
Video Tutorial
Option 1) How to backup and restore the .htaccess file from the “Settings menu” of the All in One WP Security Plugin
It’s very simple to keep a safe copy of your .htaccess file from the WordPress dashboard with this plugin. First, of course is to get the plugin installed through the standard procedure, and I’ll go through those quick steps now. There are a few different ways, here’s one:
1. Download the security plugin to your computer from the WordPress plugin repository. You should now have a zip file called something similar to “all-in-one-wp-security-and-firewall.zip” on your computer.
2. Go to Plugins >> Add New, click Upload, locate the plugin and upload it, activate it, and head to the settings page.
Now, here are the steps to backup the .htaccess file the first time.
1. From the left side menu in the WordPress dashboard near the bottom of the screen, hover over the WP Security menu, and click on Settings if you aren’t already on that page.
On this page you have the options for backing up, restoring, and viewing the contents of the .htaccess file.
2. Click on the .htaccess File tab at the top of the screen.
3. Click the Backup .htaccess File button near the top of the page. A file called htaccess_backup.txt will be saved to the root of your web site.
4. In the confirmation message that appears at the top of the page, there will be a hyperlink to the text file that was created that contains the commands from your current .htaccess file. Right-click the link and click Save link as… (or a similar command – it might just be “Save as…”). Find a safe location on your computer to store the file and click the Save button.
Restoring the file is just as simple. Follow the quick steps below:
1. Hover over the WP Security menu, and click on Settings if you aren’t already on that page.
2. Click on the .htaccess File tab at the top of the screen.
3. Click the Select Your htaccess File button, then click Select Files.
4. Locate the backed up “htaccess_backup.txt” file on your computer and double-click it.
5. Scroll down and click the Insert into Post button.
6. Click the Restore .htaccess File button. A message will appear near the top with a confirmation message.
Option 2) How to restore the .htaccess file via FTP
You can also watch this video tutorial which shows how you can reset the htaccess file of your WordPress site using FTP.
If you were able to successfully backup your WordPress installation’s .htaccess file but can’t gain access to the dashboard to restore the file, you can follow the steps below to do so.
1. First, locate the “htaccess_backup.txt” file on your computer and open it in a text editor.
2. Use the text editor’s File >> Save As… command and make sure Save as type: is set to “All Files (*.*).”
3. In the File name: box type: .htaccess (make certain to include the leading ‘dot’). Then click the Save button.
4. Open up your FTP software and connect to the server that holds the WordPress install files for the site that you want to restore the .htaccess file on.
5. Transfer the “.htaccess” file from your computer to the root folder of the WordPress site. Overwrite the file on the server when prompted.
Option 3) How to wipe out all the firewall rules before uploading the .htaccess file
In the event that you want to remove the firewall rules that were applied to the .htaccess file by the plugin, you can follow the steps below.
If you already have a current backup of the .htaccess file (the “htaccess_backup.txt” file) on your computer, you can follow the steps above to rename it to .htaccess. If you don’t have a current copy then you can login via FTP (or the Control Panel’s File Manager) and download the working copy.
Either way, follow the steps below to modify the .htaccess file and remove the firewall rules:
1. Open the .htaccess file with a text editor. If the file does not have a .txt extension (which it shouldn’t at this point), you may have to open the text editor first and use the File >> Open… command, rather than double-click the file.
2. Locate the “# BEGIN All In One WP Security” and “# END All In One WP Security” lines and remove all lines in between (and including) those lines.
3. Save the file.
4. Upload the file to the server (via FTP or File Manager) and overwrite the existing file.
Explore the other features of the All in One WP Security Plugin
At this point you will know how to keep the .htaccess file secure and restore it if the need were to arise. You can do a very similar thing with the important “wp-config.php” file as well. The tab to backup, restore, and view this critical file is next to the .htaccess tab on the plugins settings page. The operations are very similar to what we discussed about the .htaccess file security.
Common “tweaks” that are suggested regarding the WordPress installation are taken into consideration using this plugin. The more recommended changes that are made, the more secure the site ends up being, and the higher the Security Strength Meter rises in the the WP Security Dashboard.
Aside from the .htaccess and wp-config.php file security discussed, the plugin addresses WP Meta Info, user accounts (default admin user name and display name), user login settings, database security (auto-backups and table prefix), filesystem security (permissions), and more.
Also, if you find a particular IP address is showing up often in the security reports and logs (like comment spammers), you can use the built in WHOIS Lookup tool to gain more detailed information about the IP address. Then you can decide to add offending IP addresses to the blacklist so that they can no longer visit the site. Commands will be added to the .htaccess file as the first line of defence against the attackers and spammers. These people are just wasting valuable resources and pose a threat to the security of your web site, and in many cases, your income as well.
@Grant, yes you can.
Hi,
I’m locked out in maintenance mode.
I have not made a backup of .htaccess file. Can I edit it in FTP just so I can log in and swith off maintenance mode?
Thanks
@Nick, The editon shouldn’t disappear just went you install the plugin. You had to activate a few features. Which feature causes the editor issue on your site? You can turn off all feature then activate features one by one to see which one causes the issue.
Hi
When I loaded the all in one wp security, the editor in the appearance has disappeared can anyone help?
@Ryan, Have you restored your htaccess file using this tutorial? Check option 2 in the above tutorial (which doesn’t require you to login to wp admin) to restore the file then your site will be back to where you were before you activated that feature.
Hi,
I enabled the timed logout and it botched my site log in. I can’t get to the dashboard and only now just discovered this htaccess restore. What do I need to do to get back into my site?
~Ryan McMann
Thank you a lot!
@Nik, Were you using any non alphanumeric character in your “secret word” when enabling this feature? That could be cause of the issue. We just rolled out another update to the security plugin that will prevent users from using non alphanumeric characters in the “secret word”. Upgrade to our latest version (v1.9) then try the feature again.
Hi!
I ran into a problem: when I use the rules in section “Firewall” I get an error 500. After you restore a file .htaccess now returns to the initial state.
But every time when you change the rules of firewall I’m getting the same error and I can get rid of it only by changing the .htaccess file.
What am I doing wrong?
P.S.
1. Five sites on the same hosting.
2. At each site, the plugin activated in the same sequence.
3. Other plugins are disabled.