5 Changes to htaccess to Improve Your WordPress Security

Essential Tips to Keep Your WordPress Blog Secure

Improving your WordPress security is an integral part of keeping hackers at bay and while there are a number of things you can do, we’re going to look at 5 changes to htaccess you can make to improve your WordPress security.

1. Ban Bad Users

If you continuously have the same IP address attempting to access your site or attempting to use brute force to access your admin pages, you can ban them by putting this little snippet of code in your .htaccess.

<Limit GET POST>
order allow,deny
deny from 202.090.21.1
allow from all
</Limit>

They will no longer have access to your site. You can easily add more by just repeating the deny line. Here’s an example:

<Limit GET POST>
order allow,deny
deny from 202.090.21.1
deny from 204.090.21.2
allow from all
</Limit>

2. Stop Access To wp-content

The wp-content folder contains images, plug-ins and themes. It is one of the key folders within your WordPress install so you will want to prevent access by outsiders.

This needs its own .htaccess file which you will need to add to the wp-content folder, it lets users see images, CSS etc… but it will protect the key PHP files:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>

3. No Directory Browsing

Because of the popularity of WordPress too many people now know the WordPress install structure and where to find the plug-ins that might give away too much information about your WordPress site. You can stop that by preventing directory browsing.

# directory browsing
Options All –Indexes

4. Individual File Protection

There are some files you want to make sure are protected on an individual bases rather than having to block the entire folder they reside in. The snippet example below shows you how to prevent access to the .htaccess file and doing this will throw a 403 if anyone accesses. You can change the filename to whatever file you want to protect:

<files .htaccess="">
order allow,deny
deny from all
</files>

5. Protect .htaccess

We are so busy worrying about whether we are using the correct plug-ins or whether we’ve installed all the updates for fixes, that we overlook that the .htaccess file is open for attack.

The snippet below will stop others from seeing any file on your site that starts with “hta”, so this will protect your site and make it safer.

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

This is by no means all of the ways you can improve your security with htaccess, but gives you a good start so get busy.

Leave a Reply

Your email address will not be published. Required fields are marked *