How to Secure Your WordPress site with .htaccess

With the number of hackers growing day by day, websites are undoubtedly prone to Security Risks. Whether your website is worth being hacked or not, your Nemesis always try to let you down. And one  of the ways is hacking your website. If your website is not secure, with the different Security Breach Techniques, the hackers use various methods like SQL injection, Cross Site Scripting, DDoS Attacks, and many more. The sole purpose of Website Security Breaches may not only be stealing your website data or shut down your website but also for testing their Hacking Ability. That’s why Website security is a very must these days. In this article, I am going to write about how to secure your WordPress site using .htaccess.

Before going further, make sure you select Secure Hosting Provider so that geeks won’t be able to infiltrate in your system. Also, change your Website’s username and Password unique and strong. There are also lots of things to consider but let’s go with .htaccess techniques for now.

Malware or Hacks on the WordPress sites can be very tough and there is way more than installing anti-hack plugins. Read the following tips before getting further.

  1. Make sure all of your file permissions are correct.
  2. Make sure you use the strong passwords. Also, make sure you remember them. You don’t want to reset your password every time you forget them.
  3. Never ever use admin as your login username! I would change that as soon as possible if I were you.
  4. Keep all of your plugins and themes up to date. Delete any unnecessary and inactive plugins that you don’t need. Most of the times hackers can get in through old plugins. That is their stairway to heaven.

Secure Your WordPress site with .htaccess


1. Protecting .htaccess itself from Attacks


As .htaccess is a brain of the website, it controls your whole websites. This file may suffer from different malware attacks, suspicious access, and other strikes. So you need to protect the .htaccess file from editing and rewrite. Add the following code:

#limiting other from editing .htaccess
<Files .htaccess>
 order allow,deny
 deny from all
 satisfy all
</Files>

2. Disabling Directory Browsing


Secure Your WordPress site with .htaccess

There comes a time when hackers try to steal all your website images and files. By default, the Apache Server in WordPress automatically enables directory browsing in the site meaning all the files and folders inside the root directory is visible and accessible to visitors.

Passwords are like underwear: you don’t let people see it, and you should change it very often. Click To Tweet

In recent days, the security is a primary necessity not only in websites but other networking servers as well. If you go through big and infamous websites, more than 80% sites don’t have their directory browsing disabled. This allows any visitors to snuffle through wp-content/uploads, wp-content/themes or any other directories that do not have default index.php file.

Code Snippet

# Disable directory browsing
Options All -Indexes

3. Protecting wp-config.php with .htaccess


wp-config.php is one of the most important core files in WordPress which is located in the root of WordPress Directory. The whole information about the database, host, username/password, security is contained in this file. So this file must be taken seriously.

Insert the following lines of code for strong security.

# Protecting wp-config file
<Files wp-config.php>
order allow,deny
deny from all
</Files>

4. Restricting wp-admin to selected IP Address


Brutal Force Attack is done via WordPress Dashboard. If the hacker knows your username, then half of his mission is complete. What he needs is only to generate the random passwords via Force Attack. The hacker uses different IP via some kinds of tools so that they are impossible to trace. That’s why IP restriction is necessary to secure your site.

Here’s the Code:

# Restricting logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 123.456.789.52
allow from IP_ADDRESS_2
</Limit>

5. Disabling/Preventing Image Hotlinks


Hotlinking means downloading or using your website’s image to link on their own website which leads to an excess use of your site’s bandwidth. And the worst part is, you are not even credited for it. This will slow down the performance of your website. However, using following code will eliminate such problem.

The Code:

#Prevent image hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteRule \.(gif|png|jpeg|jpg)$ - [NC,F,L]

Note: Make sure to replace yourwebsite.com with your domain name leaving www as it is.

Final Thoughts

Since .htaccess is considered the brain of the website, it controls everything. Before testing each of the above steps manually, make sure you have backed up your .htaccess file. Simply missing any character will return error on the website.

There are plethora of other tricks to secure WordPress site. If you have any better tips, feel free to comment in the form below.