How to Secure and Protect WordPress Website through .htaccess file
With the help of a .htaccess (hypertext access) file you can get a directory-level configuration and it allows you to decentralized the management of your web server configuration. As well it allow you to improve your blog’s security, and reduce bandwidth. Today, we compile a list of tips and hack to increase your WordPress website through .htaccess file.If you like these tips and hacks then please grab the WPArena RSS feed for keep yourself up to date!
Note: Be careful to make changes in this file because modifying the configuration of a server can cause security concerns if not set up properly. So Always have a Backup.
Restricting access to wp-admin
There are different ways to protect your wp-admin. By using WordPress plugins ”Enhance WordPress security with two-factor authentication plugins” and through adding a .htaccess file into a wp-admin directory like:
By restricting the IP address and create a .htaccess file including following piece of code:
order deny,allow allow from a.b.c.d # This is your static IP deny from all
By restricting the directory with a password:
AuthUserFile /etc/httpd/htpasswd AuthType Basic AuthName "restricted" Order Deny,Allow Deny from all Require valid-user Satisfy any
Source: You can read more about Hardening WordPress website with .htaccess file
Individually Blacklist IP Address
There are considerable number of spammers, scrapers, crackers, those need to be blacklisted to visit the website. Perishable Press every year blocked some IP address and they are giving solution on how to block IP address by using .htaccess file:
<Limit GET POST PUT> order allow,deny allow from all deny from 192.168.0.10 </LIMIT>Source: Improve site security by protecting .htaccess-files
Ultimate IP Blocker
Want to ban a IP, but don’t know how to use .htaccess and only ban for some pages? Let ipBlocker help you, ban IP(s) with a easy way and many functions, no need any database supported.
Protecting WordPress wp-config file
Josiah Cole giving solution on how to secure your own Website by editing or creating own .htaccess file in the following manners:
1. Protects itself (security)
2. Turns the digital signature off (security)
3. Limits upload size (security)
4. Protects wp-config.php (security)
5. Gives access permission to all visitors with exceptions (security, usability)
6. Specifies custom error documents (usability)
7. Disables directory browsing (security)
8. Redirect old pages to new (optional)
9. Disables image hotlinking (bandwidth)
10. Enables PHP compression (bandwidth)
11. Sets the canonical or “standard” url for your site (seo, usability)
Add the following piece of code in .htaccess file to protect he wp-config file:
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>Other useful links: How To Secure WordPress configuration file
Add the following code to Disable Directory Browsing:
# disable directory browsing Options All -IndexesDisables image hotlinking:
#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?wparena.com/.*$ [NC]
#RewriteRule \.(gif|jpg)$ – [F]
#RewriteRule \.(gif|jpg)$ http://www.wparena.com/yourimage.gif [R,L]
Source- Almost Perfect htaccess File for WordPress Blogsa
Redirect WordPress Feeds to Feedburner via .htaccess (Redux)
.htaccess is a powerful tool which also help to redirect WordPress feeds to feedburner.
Redirecting your WordPress feeds to Feedburner enables you to take advantage of their many freely provided, highly useful tracking and statistical services. Although there are a few important things to consider beforeoptimizing your feeds and switching to Feedburner, many WordPress users redirect their blog’s two main feeds — “main content” and “all comments” — using either a plugin or directly via htaccess.
For those of us using Feedburner for all content and comment feeds, we have consolidated the previous htaccess code into a single redirect. Additionally, we improve functionality by verifying the requested URI and simplifying the regex used to match the target string. Check it out:
# temp redirect wordpress content feeds to feedburner
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds.feedburner.com/wordpressarena [R=302,NC,L]
</IfModule>
Source: Perishable Press | How to switch RSS to feedburner in Thematic
How To Stop Image Hotlinking through .htaccess | WP Recipes
IP Delivery to Stop RSS “Content Thieves”
Quads Zilla at Seo Black Hat explained how to know IP address who is stealing your RSS Feed and how to block IP address through .htaccess file.
RewriteEngine on
RewriteCond %{REMOTE_ADDR} ^69.16.226.12
RewriteRule ^(.*)$ http://newfeedurl.com/feed
How to maintenance page with a. Htaccess file?
You want to migrate your blog , switch themes , or to update WordPress , why not redirect your visitors to a maintenance page.
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L]
Source – CatsWhoCode | Woueb.net | Protecting the WordPress wp-admin folder
Deny no referer requests [stop spam comments!]
If there are lots of spam comments on your blog, along with akismet, you can stop spam comments with .htaccess to prevent spammers posting comments on your blog.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
Source – How to: Deny comment posting to no referrer requests
Force “File Save As” Prompt
By using this code you can force user not to open downloadable files instead you force them to save as:
AddType application/octet-stream .avi .mpg .mov .pdf .xls .mp4
Source – AskApache: THE Ultimate Htaccess | Forcing a Download with Apache and .htaccess
Improve Site Security by Protecting HTAccess Files
Jeff Starr presents on Perishable Press different methods to protect .htaccess file. The following code below prevents external access to any file with .htaccess. Add the code below in your domain’s root .htaccess file.
Case-sensitive protection:
# CASE SENSITIVE METHOD
<Files .htaccess>
order allow,deny
deny from all
</Files>
Weak pattern matching
# WEAK PATTERN MATCHING
<Files ~ "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>
Strong pattern matching
# STRONG HTACCESS PROTECTION
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
.htaccess – gzip and cache for faster loading and bandwidth saving
In order to speed up site and save bandwidth, you can use.htaccess file to gzip text based files and optimize cache HTTP headers.
If your hosting provider like HostGator has mod_gzip module enabled, the best way to compress your content is to add the following lines to your .htaccess file:
mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
Source – There are other different ways for fast loading and saving bandwidth on:
.htaccess – gzip and cache your site for faster loading and bandwidth saving
WordPress Super Cache: Makes WordPress Faster
WordPress Safer Admin Plugin
Have you ever wondered how you can hide your WordPress Admin Panel so possible attackers won’t be able to find it and gain access to your WordPress site?
If you want to ensure that no one knows where your WordPress Admin Panel is, then this WP Safer Admin Plugin is the right tool for you!
WP-Restrict
WP-Restrict is a WordPress plugin that allows WordPress admins to restrict access to their web site based on IP addresses.
Redirecting Subdirectories to the Root Directory via HTAccess
One of the most useful techniques in my HTAccess toolbox involves URL redirection using Apache’s RedirectMatch directive. With RedirectMatch, you get the powerful regex pattern matching available in the mod_alias module combined with the simplicity and effectiveness of the Redirect directive.
RedirectMatch 301 ^/blog/.*$ http://domain.tld/target.html Source – Perishable Press | How to redirect the spammers where you want
Removing Category Base from WordPress URLs
The below .htaccess code illustrates 2 different ways to redirect any request for /category/slug/ to /slug/. You should only redirect after applying the php hacks described earlier, otherwise you could end up creating a loop.
RedirectMatch 301 ^/category/(.+)$ http://www.askapache.com/$1 # OR RewriteRule ^category/(.+)$ http://www.askapache.com/$1 [R=301,L]
Source: AskApache
Valiantly automatically fix URL spelling mistakes
This directive can be useful to auto-correct simple spelling errors in the URL
<IfModule mod_speling.c>
CheckSpelling On
</IfModule>
Source – Vortex Mind
Redirect the spammers where you want
Here is the script to add to your WordPress blogs (or into your site’s) .htaccess file:
# block comment spam by denying access to no-referrer requests
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*wparena.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule ^(.*)$ ^http://the-site-where-you-want-to-send-spammers.com/$ [R=301,L]
Easily rename your .htaccess file
# rename htaccess files AccessFileName ht.accessSource: Stupid htaccess tricks | How to redirect the spammers where you want
20 htaccess hacks to prevent your wordpress site from hacking
Make your wp-login.php page xenophobic
Here’s the code that you should be copy paste to your root .htaccess file (where wp-login.php exist).
# Redirect wp-admin and wp-login to specified address if not from specific ip # Btw you're free to add additional directory as you see fit # Note: This'll break your site if you have plugins/themes that depend on accessing admin-ajax.php RewriteCond %{REQUEST_URI} wp-login|wp-admin RewriteCond %{REMOTE_ADDR} !^123.456.789. RewriteRule . http://www.domain.com/ [R,L] # Or .. if you prefer to return 404 Not found instead of redirecting it, use below code instead RewriteCond %{REQUEST_URI} wp-login.php|wp-admin RewriteCond %{REMOTE_ADDR} !^123.456.789. RewriteRule . - [R=404,L]
Source – Hardening WordPress with Mod Rewrite and htaccess | 7 Tools For Fighting Spam In WordPress
The easiest way to ban a WordPress spammer
Require password for 1 file
<Files login.php> AuthName "Prompt" AuthType Basic AuthUserFile /home/askapache.com/.htpasswd Require valid-user </Files>
Protect multiple files
<FilesMatch "^(exec|env|doit|phpinfo|w)\.*$"> AuthName "Development" AuthUserFile /.htpasswd AuthType basic Require valid-user </FilesMatch>
Source: ultimate htaccess code snippets
Speed up your site by compressing and caching your content with .htaccess
In the following series you can compress and cache your site content with Apache and .htaccess file.
compress text files
<ifModule mod_deflate.c> <filesMatch "\.(css|js|x?html?|php)$"> SetOutputFilter DEFLATE </filesMatch> </ifModule>
Expire headers
<ifModule mod_expires.c> ExpiresActive On ExpiresDefault "access plus 1 seconds" ExpiresByType image/x-icon "access plus 2592000 seconds" ExpiresByType image/jpeg "access plus 2592000 seconds" ExpiresByType image/png "access plus 2592000 seconds" ExpiresByType image/gif "access plus 2592000 seconds" ExpiresByType application/x-shockwave-flash "access plus 2592000 seconds" ExpiresByType text/css "access plus 604800 seconds" ExpiresByType text/javascript "access plus 216000 seconds" ExpiresByType application/javascript "access plus 216000 seconds" ExpiresByType application/x-javascript "access plus 216000 seconds" ExpiresByType text/html "access plus 600 seconds" ExpiresByType application/xhtml+xml "access plus 600 seconds" </ifModule>
Cache-control headers
<ifModule mod_headers.c>
<filesMatch "\.(ico|jpe?g|png|gif|swf)$">
Header set Cache-Control "max-age=2592000, public"
</filesMatch>
<filesMatch "\.(css)$">
Header set Cache-Control "max-age=604800, public"
</filesMatch>
<filesMatch "\.(js)$">
Header set Cache-Control "max-age=216000, private"
</filesMatch>
<filesMatch "\.(x?html?|php)$">
Header set Cache-Control "max-age=600, private, must-revalidate"
</filesMatch>
</ifModule>
Turn etags off
<ifModule mod_headers.c> Header unset ETag </ifModule> FileETag None
Remove last-modified header
<ifModule mod_headers.c> Header unset Last-Modified </ifModule>
Source: More on compressing and caching your site with .htaccess
Performance Optimizer Plugin for WordPress
The plugin will help you increase the performance of your WordPress website. We aim to do this by optimizing key features of the website’s loading process thus increasing the loading speed and limiting the bandwidth consumption.
References and other Useful Resource:
Protect your WordPress site .htaccess
Using htaccess Files for Pretty URLS
Web security: what is an .htaccess file
How to protect and secure your WordPress site
A to Z of WordPress .htaccess Hacks
Comprehensive guide to .htaccess
Introduction to .htaccess
Forcing a Download with Apache and .htaccess
Hardening WordPress with htaccess
.htaccess Builder
To quickly and effortlessly deliver an htaccess file without having to remember anything about the apache server language used to construct the htaccess file!
htaccess Builder! is complete as is – however – depending on requests and sales it has the potential to grow to cover just about every function of htaccess.
Nur
