WordPress Security with the .htaccess file

Posted on 14th July, 2013 4 Comments

So I showed you how you can help speed up WordPress using a single line of php in your header.php theme file and by adding a few simple lines to your htaccess file. Now lets concentrate on security.

As WordPress is now so widely used (60+ Million users) it has become a bit of a hacking ground for those interested in tinkering in the dark arts. Also because it’s an open source platform the structure is widely available and is well know. So this article is going to help you make your site a whole heap more secure to brute attacks by adding another few lines to your htaccess file.

Firstly you’ll want to protect your wp-config.php as it holds all the server info.
We’ll do this by denying access to everyone. Add this to the bottom of your .htaccess file.

### SECURITY ###

	# protect wp-config.php
    <Files wp-config.php>
    order allow,deny
    deny from all
    </Files>

Simply, this snip blocks all access to the file outside of using an ftp client.

Next you’ll want to close the door on people browsing your directories.

    # block directory browsing
    Options All -Indexes

Next but no least, we’ll protect the htaccess file from any attacks.

# protect htaccess
    <Files ~ "^.*.([Hh][Tt][Aa])">
    order allow,deny
    deny from all
    satisfy all
    </Files>

For this file that’s it. Save it and upload it to your /public_html folder on your server.

We are almost done, we just need to do one last thing…

Create another htaccess file. Open notepad and save the document as .htaccess. This one is going to be added to the wp-admin folder, to block anyone trying to login to your site from an outside ip; But will also allow access to the ever important ajax used for eCommmerce sites.

The first order deny,allow is going to block access to your admin area to everyone who doesn’t have a ip that is allowed.

So in a blank .htaccess add this.

If you want to find your ip, google “what is my ip

  #Block access to admin 
  order deny,allow
	  allow from 12.12.12.12 #Find your ip
	  allow from 11.11.11.11 #Add more if needed or delete.
	  deny from all #Block everyone else
	  
  #Allow Ajax, we're running a business here!
  <Files admin-ajax.php>
	  Order allow,deny
	  Allow from all
	  Satisfy any
  </Files>

You can find more on Protecting WordPress Here

If spam is your problem, I have a great fix, that believe it or not actually works and is free.

Comments

To preserve code added to a comment you can wrap your code in short tags
by using [square brackets]:

  1. PHP use - [php] <?php code here ?> [/php]
  2. CSS use - [css] #code-here {} [/css]
  3. HTML use - [html] <div> code here </div> [/html]
  4. JS use - [js] $(".codeHere") [/js]

Abinash Mohanty

04th, Feb, 14

Thanks for the tips, these are quite helpful. I only have one query about .htaccess under the wp-admin folder. How can we configure for dynamic ip as “what is my ip” shows different addresses when I use my home wifi or at work having different isp. Can’t we map with MAC address? I guess that is permanent right! Let me know, thanks.

Aaron

26th, Jan, 15

Suppose if you don’t like poking around your .htaccess file, this is a good option.

Leave a Comment

To preserve code added to a comment you can wrap your code in short tags
by using [square brackets]:

  1. PHP use - [php] <?php code here ?> [/php]
  2. CSS use - [css] #code-here {} [/css]
  3. HTML use - [html] <div> code here </div> [/html]
  4. JS use - [js] $(".codeHere") [/js]