WordPress Security with the .htaccess file
Posted on 14th July, 2013 4 Comments
So I showed you how you can help speed up WordPress using a single line of php in your header.php theme file and by adding a few simple lines to your htaccess file. Now lets concentrate on security.
As WordPress is now so widely used (60+ Million users) it has become a bit of a hacking ground for those interested in tinkering in the dark arts. Also because it’s an open source platform the structure is widely available and is well know. So this article is going to help you make your site a whole heap more secure to brute attacks by adding another few lines to your htaccess file.
Firstly you’ll want to protect your wp-config.php as it holds all the server info.
We’ll do this by denying access to everyone. Add this to the bottom of your .htaccess file.
### SECURITY ###
# protect wp-config.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>
Simply, this snip blocks all access to the file outside of using an ftp client.
Next you’ll want to close the door on people browsing your directories.
# block directory browsing
Options All -Indexes
Next but no least, we’ll protect the htaccess file from any attacks.
# protect htaccess
<Files ~ "^.*.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>
For this file that’s it. Save it and upload it to your /public_html folder on your server.
We are almost done, we just need to do one last thing…
Create another htaccess file. Open notepad and save the document as .htaccess. This one is going to be added to the wp-admin folder, to block anyone trying to login to your site from an outside ip; But will also allow access to the ever important ajax used for eCommmerce sites.
The first order deny,allow is going to block access to your admin area to everyone who doesn’t have a ip that is allowed.
So in a blank .htaccess add this.
If you want to find your ip, google “what is my ip“
#Block access to admin order deny,allow allow from 12.12.12.12 #Find your ip allow from 11.11.11.11 #Add more if needed or delete. deny from all #Block everyone else #Allow Ajax, we're running a business here! <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>
You can find more on Protecting WordPress Here
If spam is your problem, I have a great fix, that believe it or not actually works and is free.
Comments
To preserve code added to a comment you can wrap your code in short tags
by using [square brackets]:
Abinash Mohanty
04th, Feb, 14Thanks for the tips, these are quite helpful. I only have one query about .htaccess under the wp-admin folder. How can we configure for dynamic ip as “what is my ip” shows different addresses when I use my home wifi or at work having different isp. Can’t we map with MAC address? I guess that is permanent right! Let me know, thanks.
WPtricks
08th, Feb, 14For a dynamic ip range you should check out this post which goes into it in a little more depth http://brett.batie.com/software-development/update-htaccess-with-dynamic-dns-ip-address-to-prevent-password-protection/ Or you could add multiple ip’s to the Allow statement.
supsystic team
26th, Jan, 15Hi there!
I find good security plugin and recomend it for you. Most from this functions from this post this plugin has . You can find it from this sites:
http://supsystic.com/
https://wordpress.org/plugins/security-by-supsystic/
Aaron
26th, Jan, 15Suppose if you don’t like poking around your .htaccess file, this is a good option.