You have started a blog to share your opinion with the World Wide Web. Someone stumbles upon one of your articles. He likes it, and posts it on Digg. Now it gets everyone’s attention. Visitors come pouring into your site. Your revenue starts to go up. Definitely good news! But now there is a catch. You are now the target of the ‘bad crowd’ of the Internet, spammers, hackers and leechers.
It’s time to toughen up your innocent little WordPress site. The .htaccess file is the easiest and the cheapest (actually it’s free!) solution to secure a WordPress blog.
A lot of the tips covered in this article is offered as a feature in our WordPress Security Plugin
What is a .htaccess File?
The .htaccess file is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn “loaded via the Apache Web Server”, then the .htaccess file is detected and executed by the Apache Web Server software. It is often used to specify the security restrictions for the particular directory.
In this article I’m going to show you how to strengthen your site’s security by adding/changing a few lines in this file.
Before you make any changes, it might be a good idea to take a backup of your .htaccess. If something gets messed up, you can always replace the hacked .htaccess with the original one.
Restrict Access to WP Admin directory by IP Address
If you are running a single user blog site, there is no reason to allow others to access WordPress administration panel. You can protect your WP admin from unauthorized access by listing your static IP address in the .htaccess. Here’s the trick
allow from a.b.c.d # This is your static IP
deny from all
Disable Hotlinking
Sometimes another site may directly link images from your site. It saves hard disk space by not having to store the images. But your site ends up serving the requests for them, thus using up your precious bandwidth. This is known as ‘hotlinking’. To disable this you can add these lines to the .htaccess
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
RewriteRule \.(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]
Stop Spammers
Like hotlinking, spammers are notorious to use up your site’s resources. There are a number of ways to identify a potential spammer. One of them is to detect requests with ‘no referrer’. Spammers use bots to post comments on blogs and they come from ‘nowhere’. Add these lines to stop the spammers
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Protect WP-Config
The wp-config.php file in your WordPress installation contains some real important secrets, like database name, database username and password etc. You have no choice but to keep it secure.
<Files wp-config.php>
order allow,deny
deny from all
</Files>
Disable Directory Browsing
Someone who knows the directory structure of a WordPress installation, may use his knowledge to do some damage. Besides you should not let them know what plug-ins are you using.
Options All -Indexes
Protect .htaccess itself!
Last thing you want after spending so much time protecting your site with .htaccess, is to leave the file itself open to attack. The following hack prevents external access to any file starttng with .hta
order allow,deny
deny from all
satisfy all
</Files>
Better still, you can rename the .htaccess to any other name you like
AccessFileName ht.access
That’s it for now. Remember to test, test and test everytime you make changes to your .htaccess file (go to your site, is it still up?). Hope you find these tips useful. Happy blogging!
Excellent tips. One needs to be cautious, however. There are some WP plugins which would need access to .htaccess, e.g. W3TC Browser Cache
Wow ! Thank you very much.
I was just searching what I got here. Now I can use these for my WordPress website.
# Thanks again .
This are great & useful resources. It is the first time I have encountered many of these plugins. I have already have 4 plugins installed in my site. I will check which one or two I can add
I wasn’t aware you can block directory browsing with the htaccess file. Thank you very much!
Nice post sir, thank you very much.
Candra
Nice topic. Thank You for sharing 🙂
would add:
# disable the server signature
ServerSignature Off
# limit file uploads to 10mb
LimitRequestBody 10240000
This are great & useful resources. It is the first time I have encountered many of these plugins. I have already have 4 plugins installed in my site. I will check which one or two I can add. Glad I came across your site. Many Thanks!
Hmm these are pretty interesting. The only time I’ve ever had to modify my htaccess was in order to redirect http://mysite.com to http://www.mysite.com, I never knew there were so many more things you could do with the htaccess file that could be of value
Yeah if your site is up and running then everything should be fine. Tips mentioned in this article does not affect your SEO.
After making changes, if my site is up does it mean everything is ok (leaving security issues aside) — is there a chance that it could affect SEO of my site??
I mean i am not talking about filling some unwanted gibberish inside .htcaccess file of course, but with these steps, and trying to add some extra securtiy 🙂
I really like this blog and this topic.. This blog really helping me as a newbie..
Thanks for sharing…
Ah nice one! Thanks!
The post is really useful, i really appreciate for sharing the information. Thank You.
That is whats confusing me. Can I not just create an instruction within .htaccess in the wordpress to not allow anyone but me to access wp-admin? Why do I need a separate .htaccess file in the wp-admin folder too?
Its actually pointless for me anyway. My IP is dynamic and therefore the .htaccess route isn’t an option. But it would be good to know for future reference.
I’ve read the article you referred and think I will install AskApache Password Protect (is this the same is password protecting a folder in cPanel?). To further protect any vulnerabilities from my installed plugins I’ll add a blank html file.
Thank you so much for the information. I’m a newbie blogger and really appreciate your the information you provide! Thanks!!
Basically, a .htaccess file allows you (the admin) to put restrictions on how a folder/file can be accessed from the web browser. Yes, the .htaccess file in your worpress root is what matters as far as this article is concerned.
Placing an empty .htaccess file in the wp-admin directory won’t do anything. The security scan plugin is basically telling you to put a .htaccess file in the wp-admin directory with various conditions so nobody but you can access the “wp-admin” of your site (This makes it so no one but you can browse to that directory so you don’t even have to worry about someone trying to hack into your admin. This post will explain this in detail:
https://www.tipsandtricks-hq.com/essential-wordpress-security-tips-is-your-blog-protected-987
I think I am understanding. So I can place a blank .htaccess file in wp-admin to improve security, because it will put a potential hacker of track? While the .htaccess file in my root contains all the important instructions? i.e. blocking IP address, block access to folders etc.
So for instance, to prevent comment spammers I should include the code below within my mysite.com/blog/.htaccess file? or my mysite.com/.htaccess?
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
What you have is correct. The security scan plugin complains if you don’t have a .htaccess file in the “wp-admin” directory because having a .htaccess file in the “wp-admin” directory can add additional security. The .htaccess file in the “wp-admin” directory is only for security and not to be confused with the site speedup.
You can put a .htaccess file in every folder on your site for security purpose but the tips shared on this article only deals with speeding up your site and refers to the main .htaccess file which is in the root of your WordPress installation. Does that make sense?
Thanks for the prompt reply.
I run a site which has .htaccess file in the root. (I believe this was done within cPanel, because there are a number of IP addresses I’ve blocked).
I am also running a blog via a sub-folder (lets say http://www.mysite.com/blog/). I’ve installed WP Security Scan plugin for the blog and it reveals the following.
“Security”: The file .htaccess does not exist in wp-admin/.
“Scanner”: htaccess permission 644
I do not have a .htaccess file in my /blog/wp-admin directory, but I do have one in /blog/
Should I move the .htaccess file from /blog/ to /blog/wp-admin? or should I create a new .htaccess for the wp-admin folder?
Very confused.
The .htaccess file in /blog/wp-admin looks like this:
# BEGIN WordPress
RewriteEngine On
RewriteBase /blog/
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /blog/index.php [L]
# END WordPress
Thanks.
There should be a .htaccess file in the “public_html” folder.
which .htacess do you edit. I mean to say in which folder is this file?
very useful tips, Thanks for Share
quite useful tips, thanks.
Thanks for this. Articles like yours really do help non-coders like me learn and to be able to manage it myself. Keep up the good work and continue sharing your knowledge (please?!?!) Thanks
Hello all, Just like to say Hi! to everyone and introduce myself.I’ve been in the Internet biz for over 13 years– literally sitting on the same herman miller chair purchased back in the 90’s.
Thanks to the Admin, I enjoy reading for a long time, thanks guys.. Cool forum is what I say and keep the good work.
Thanks a lot friend. I have followed 3 of the tips to secure my htaccess file.
thanks!
Putting them “Before” is fine.
Great tips, but just one question that I haven’t found an answer to yet. Would I put the above directives before, after, or inside the WordPress sections? What I mean by inside the wordpress sections is that the .htaccess would say “# BEGIN WordPress” then there are directives until “# END WordPress”.
It is a great list but I think modern spammers surf with referrer like Internet explorer 6 or similar
Excellent set of tips! I assume protecting folders from your htaccess should be faster and more secure than installing WordPress security plugins. I will definitely try it, thanks
Not so much security issue, but I would add 301 redirects from non-www to www requests and cache control headers for all static images.
Peter
No, I host the image somewhere on my site and I give them a link referring the image back to my site. Still, will it block the other site from showing the image on their site?
Thanks
If the Image is used from an external site then yes.
Very good tips! I just incorporated them in my .htaccess. My question is: Would the “Disable Hotlinking” also prevent linking exchange, if i have an image that I host on my linking code?
Thanks
@Charles, yes you need to replace them with your own domain name. “stealingisbad.gif” is just an image that will be displayed instead of the actual image when someone tries to hotlink. This image can have any message you want.
Oh, and what does “stealingisbad.gif” mean in the ‘disable hotlinking’ code?
Is that an image we need to create and upload via FTP in order for disabling of hotlinking to work?
Thanks,
Charles
Interesting stuff, for a non-coder like me.
In these text snippets, do we replace “?’yourdomain.com” and “!.*yourblog.com.*”
with our own domain names—or do these work as is when dropped into our .htaccess file???
Thank you,
Charles
I use this one: http://alkivia.org/wordpress/capsman/ – it allows me to remove the default admin-account. Will check your suggestion.
The WP -security-scan keeps telling me there is no .htaccess in the WP-Admin dir. – so just ignore it then? Not even some basic code in there?
If you don’t have static IP then you can’t really restrict by IP so don’t bother putting anything there. Try the login lockdown plugin to add a bit more login protection.
Sooooooo, not having a static IP Address, not being able to block that address in .htaccess file in Admin folder, what do I put in that file to secure that folder?
I now understand the renaming, but that doesn’t apply to me either, as I don’t have my own server – but yes, good tip, makes sense!
LOL… okay okay I will tell you 🙂
by default the filename for access control is .htaccess. This is the file that “Apache” will look up to see what restrictions are specified and then it will control the access accordingly when a client makes a request to access your site through the browser.
when you have protection in place the hackers know that it is specified in this file so they will try to attack this file so the protection can be destroyed. You can specify a different name for this access control file in the server configuration file (e.g. httpd.conf, access.conf etc) and “Apache” will look up that file instead. This way anyone from outside has no way of knowing which file to attack because they can’t guess the name of it.
Your server will have other security measures in place so this is not really necessary and in some cases not doable if you don’t have a dedicated server. This is something good to know and do it if you are running your own server from your home PC and you don’t really have a lot of other security measures in place.
Thank you! I don’t have a static IP address, so I need to put something else in the .htaccess in the Admin folder?
Ok, good CHMOD rule.
Renaming: you mention in the last line of your article:
“Better still, you can rename the .htaccess to any other name you like
# rename htaccess files
AccessFileName ht.access”
Please note that playing around with .htaccess file is dangerous so handle with care.
You can put the content explained in the “Restrict Access to WP Admin directory by IP Address” section in a .htaccess file and put it in the “wp-admin” directory. You will obviously have to modify the a.b.c.d to your IP address (don’t do this if you don’t have static IP address).
Regarding file permission… here is a general rule of thumb… files should have a permission of 644 and directories should have a permission of 755
Nice article – thanks!
Got the following questions:
1 – I use the WP Security Scan plugin (by Semper Fi) – it tells that one thing is incorrect: “The file .htaccess does not exist in wp-admin/. ” Now, what do I put in that file? I contacted him last year, I searched all his documentation (which is lacking for this item) and that is how I ended up on your site.
2 – Do I need any other .htaccess files – if yes, where do I put them (root?), what do I put in them and what CHMOD do they get?
3 – As Mugger asked before, how do you apply the renaming? Where do you put what?
Does code to rename .htacess
`# rename htaccess files
AccessFileName ht.access`
reside in ht.access or in a separate .htaccess?
Hi Ron, If you look at the spam blocking rules, you’ll notice it’ll only block POST requests, on the URI wp-comments-post.php. Since spiders/crawlers don’t do that, you have no fear of blocking the search engines out of your site.
Would that anti-spammer code also stop spiders and search engines? My site gets visits from both spiders and search engines, and they often have no referrer.
Since that code blocks anyone with no referrer then won’t it also stop the engines.
@Towel – where do spam requests go? the hacks in the .htaccess ignores all post requests w/o no referrer, so they don’t get stored anywhere. if you want to block spams and store them somewhere for analysis, you can use Akismet plugin.
Regarding my previous comment; I managed to get rid of all the spam with the bit of the code added ito my .htaccess file. I couldn’t figure out properly how to add the compete path to the cgi file of my, so I simply created another .htaccess file straight inside my cgi-bin directory folder: /cgi-bin/.htaccess
I was wondering where all the requests go now, into a black hole, they stop to exist? Over night no spam came. Otherwise it’s about 10 to 20 emails per day. Anyway, thanks a lot, Today I will add some extra code that you’ve mentioned.
Thank you Ruhul. Could you please tell us whether another line of code could be added into the .htaccess (to avoid spammer bots with no referrer) for an additional file, as per below as I edited it. It’s my contact form (TFmail by London Perl Mongers) script which I get spam emails through it.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{REQUEST_URI} .cgi-bin/contact-form\.cgi*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
# thank you very much.