IMTIAZ EPU
Using .htaccess to Add Additional Web Security to Your WordPress Site

Using .htaccess to Add Additional Web Security to Your WordPress Site

Modifying or creating .htaccess files can greatly improve the web security of your WordPress installation. Through this file, we can limit access to files and folders, perform redirects, disable directory browsing, and much more.

In this section, we’re going to focus on Web Security using your .htaccess files to deny access to your wp-config. PHP file, your administration area if you wish, disable directory browsing and lock down the .htaccess file itself.

You edit .htaccess files with a text editor. Often times you will not be able to save the file locally on your machine as .htaccess. If this is the case for you simply save it as htaccess.txt, upload it to your server, and then rename it to .htaccess.

So let’s look at what your .htaccess file probably looks like.

Using an FTP program (FileZilla is free and multi-platform) download your .htaccess file from the root folder of your site and open it in a text editor such as Notepad on Windows or TextWrangler (free) on Mac or Text Editor on Linux. It should look

 

# BEGIN WordPress
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
</IfModule>
# END WordPress

 

Now, when editing this file keep in mind that WordPress accesses this file and can modify anything between the BEGIN WordPress and END WordPress lines, so leave those as is. All of our additions are going to be entered on the lines after the END WordPress line.

DISABLE DIRECTORY BROWSING

To disable directory browsing we will add the following line to the file.

#Prevent Directory Browsing
Options All -Indexes

 

DISABLE ACCESS TO YOUR WP-CONFIG.PHP FILE

To protect your configurations file, add the following to your .htaccess file.

 

# Prevent Access to wp-config.php file
<files wp-config.php>
    order allow,deny
    deny from all
</files>

 

DISABLE ACCESS TO YOUR .HTACCESS FILES

These files generate an error when trying to be accessed directly anyhow, but it doesn’t hurt to add
another layer of protection. To make sure nobody can access your .htaccess files add the following
to it.

 

# Prevent Access to .htaccess
<Files .htaccess> 
    order allow,deny 
    deny from all 
</Files>

 

LIMIT ACCESS TO YOUR ADMIN FOLDER

Before you take this step there are some considerations. If you have a static or fixed IP address then this option will work well. If your IP address changes then you may end up locking yourself out too. Of course, you can always use FTP to remove or change the restrictions. To lock everyone out except the IP listed (change it to yours), create a new .htaccess file in the wp-admin folder and add the following to it.

 

order deny,allow 
allow from 192.168.1.1 
deny from all

 

Don’t forget to change the IP address to that of your own. You can find out your IP address by going to Google and simply type what is my IP?

IF YOUR PASSWORD PROTECT THE ADMIN FOLDER, YOU MAY BREAK ACCESS TO ADMINAJAX.PHP

Include the following in your admin .htaccess file to fix this.

 

<Files admin-ajax.php> 
    Order allow,deny 
    Allow from all 
    Satisfy any 
</Files>

Password Validation with PHP and Regular Expressions

How to generate one time password (OTP) in PHP

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Privacy Policy