Get the Official WPSaviour App Now!


Best .htaccess Snippets to Improve WordPress Security

WordPress safety is likely one of the most undermined elements amongst novice bloggers. In an unsupervised WordPress set up, there are fairly a couple of potential vulnerabilities which can be left unattended. Many of the WordPress set up tutorials clarify a fast and straightforward option to deploy WordPress in minutes. However they miss out a couple of necessary safety elements. For instance, listing looking and utilizing the ‘admin’ username are thought-about severe safety loopholes. At this time we’re going to try 10 .htaccess code snippets which is able to assist enhance your WordPress weblog’s safety. Earlier than we get began, let’s take a fast look into what’s the htaccess file.

What’s the .htaccess file?

An htaccess file is an non-obligatory configuration file for the Apache internet server to interpret, for every listing. You possibly can retailer numerous settings in that file similar to: password defend a listing, block IPs, block a file or folder from public entry, and so on. Historically, the .htaccess file is current within the base WordPress set up listing. It shops the permalink construction by default.

TIP: Earlier than you begin with the tutorial, be certain to backup the present .htaccess file (if current) in a cloud storage service like Dropbox. That is to roll again to the final identified working .htaccess file, if a sure code snippet breaks your website. Let’s start.

1. Block Dangerous Bots

bad bots

Among the finest makes use of of the .htaccess file is its capability to disclaim a number of IP addresses from accessing your website. That is helpful when blocking identified spammers and different origins of suspicious or malicious entry. The code is:

# Block a number of IP tackle.
# Substitute IP_ADDRESS_* with the IP you wish to block

<Restrict GET POST>
order permit,deny
deny from IP_ADDRESS_1
deny from IP_ADDRESS_2
permit from all

The place IP_ADDRESS_1 is the primary IP you wish to forestall from accessing your website. You possibly can add as many IPs you need. It doesn’t matter what consumer brokers (browsers) 0these IP addresses use, they received’t have the ability to entry a single file out of your server. The webserver will routinely deny all entry.

2. Disable Listing Looking

wordpress htaccess hack disable directory browsing

This is likely one of the most undermined safety flaws in a WordPress website. By default, the Apache webserver allows listing looking. Because of this all recordsdata and folders inside the basis listing (typically referred to as the house listing) of the webserver is enlist in a position and accessible by a customer. You do not need that since you don’t need folks looking by way of your media uploads or your theme or plugin recordsdata.

If at random I choose 10 private or enterprise web sites working WordPress, 6-Eight of them received’t have listing looking disabled. This permits anybody to simply sniff across the wp-content/uploads folder or another listing which doesn’t have the default index.php file. In actual fact, the screenshot you see is from considered one of my consumer’s website, earlier than I beneficial the repair. Code snippet to disable listing looking:

# Disable listing looking
Choices All -Indexes

3. Enable Solely Chosen Information from wp-content


As you recognize the wp-content folder incorporates probably the most your themes, plugins and all media uploads. You definitely don’t need folks to entry it with out restrictions. Along with disabling listing looking, you may as well deny entry of all file sorts, save a couple of. In essence, you’ll be able to selectively unblock recordsdata like JPG, PDF, DOCX, CSS, JS, and so on. and deny from the remainder. To do that, paste this code snippet in your .htaccess file:

# Disable entry to all file sorts besides the next
Order deny,permit
Deny from all
<Information ~ ".(xml|css|js|jpe?g|png|gif|pdf|docx|rtf|odf|zip|rar)$">
Enable from all

You have to create a brand new .htaccess file with the code and paste it within the wp-content folder. Don’t place this within the base set up listing – else it received’t work. You may also add any file kind to the checklist by appending a ‘|’ after ‘rar’. The above checklist incorporates the required recordsdata – XML, CSS and JavaScript, frequent picture and doc codecs and eventually the most-used archive codecs.

4. Limit All Entry to wp-includes


The wp-includes folder incorporates solely the recordsdata which can be strictly essential to run the core model of WordPress – one with none plugins or themes. Bear in mind, the default theme nonetheless resides within the wp-content/theme listing. Thus, no customer (together with you) ought to require entry to content material of the wp-include folder. You possibly can disable entry utilizing this following code snippet:

# Block wp-includes folder and recordsdata
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/consists of/ - [F,L]
RewriteRule !^wp-consists of/ - [S=3]
RewriteRule ^wp-consists of/[^/]+.php$ - [F,L]
RewriteRule ^wp-consists of/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-consists of/theme-compat/ - [F,L]

5. Enable solely Chosen IP Addresses to Entry wp-admin


The wp-admin folder incorporates the recordsdata required to run the WordPress dashboard. Usually, your guests don’t want entry to the WordPress dashboard, except they wish to register an account. safety measure is to allow just a few chosen IP addresses to entry the wp-admin folder. You possibly can permit the IPs of the individuals who want entry to the WordPress dashboard – editors, contributors and different admins. This code snippet permits solely fastened IPs to entry the wp-admin folder and denies entry to the remainder of the world.

# Restrict logins and admin by IP
<Restrict GET POST PUT>
order deny,permit
deny from all
permit from 302.143.54.102
permit from IP_ADDRESS_2

Just be sure you create a brand new .htaccess file and paste it within the wp-admin folder and never the bottom set up listing. If it’s the latter, nobody besides it is possible for you to to browse you website – not even engines like google! You definitely don’t need that. A few downfalls of this measure is as follows:

  • In case your website permits or promotes new consumer registration, it will be practically inconceivable to maintain observe of the variety of customers. For instance at WPSaviour, if you wish to obtain our superior free themes, then you must register.
  • Folks with dynamic IP addresses (largely ADSL broadband customers utilizing PPP or PPPoE protocols) have their IPs modified, each time they logout and login to their ISP. Definitely it will be impractical to maintain observe of all these IPs and add them to the htaccess file.
  • Cell broadband: Whether or not you’re on 3G or 4G, your IP tackle relies on present cell tower you’re related to. Say you’re travelling – your IP will likely be continuously altering with each couple of miles you progress from the origin. Once more, protecting observe for the htaccess file is almost inconceivable.
  • Public Wi-Fi Hotspots: Utilizing credentials when related to the Web utilizing a public Wi-Fi hotspot is a giant no-no, since a child with a tiny software program can extract each character you kind. To not point out, every Wi-Fi hotspot could have a novel IP tackle.

Fortunately, all these disadvantages (save the primary one), may be rectified by utilizing a VPN. In case you set your VPN to attach utilizing solely a single IP tackle, then you’ll be able to simply add it to your htaccess file, and all of your issues will likely be solved.

6. Shield wp-config.php and .htaccess from everybody


The wp-config.php file incorporates probably the most delicate entry credentials of your WordPress website. It incorporates the database title and entry credentials and numerous different important knowledge, amongst different settings. By no means would you like different folks wanting into this file. And naturally, you wish to disable public entry to the supply of all this safety – the .htaccess file itself. You possibly can disable entry to wp-config.php with this following code:

# Deny entry to wp-config.php file
<recordsdata wp-config.php>
order permit,deny
deny from all

To disclaim entry to all htaccess recordsdata (keep in mind some might reside within the wp-admin and different folders), use this code snippet:

# Deny entry to all .htaccess recordsdata
<recordsdata ~ "^.*.([Hh][Tt][Aa])">
order permit,deny
deny from all
fulfill all

7. Deny Picture Hotlinking


One of many coolest .htaccess file hacks, this one sends content material scrapers working with their tail between their legs. When somebody makes use of your website’s picture, your bandwidth is being consumed and more often than not, you’re not even credited for it. This code snippet eliminates that downside and sends this picture when a hotlink is detected.

# Stop picture hotlinking script. Substitute final URL with any picture hyperlink you need.
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)? [NC]
RewriteRule .(jpg|jpeg|png|gif)$ [NC,R,L]

8. Allow Browser Caching

list of web browsers

Often known as client-side caching, this .htaccess hack with allow the beneficial browser caching choices to your WordPress website. You would additionally use it in different initiatives – HTML websites, and so on.

# Setup browser caching
<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType picture/jpg "entry 1 yr"
ExpiresByType picture/jpeg "entry 1 yr"
ExpiresByType picture/gif "entry 1 yr"
ExpiresByType picture/png "entry 1 yr"
ExpiresByType textual content/css "entry 1 month"
ExpiresByType utility/pdf "entry 1 month"
ExpiresByType textual content/x-javascript "entry 1 month"
ExpiresByType utility/x-shockwave-flash "entry 1 month"
ExpiresByType picture/x-icon "entry 1 yr"
ExpiresDefault "entry 2 days"

9. Redirect to a Upkeep web page


Whenever you’re migrating webhosts or performing some upkeep job, it’s at all times beneficial to create a static “down for upkeep” HTML file to tell your guests that the web site is present process an improve or upkeep operation. Merely create a upkeep.html file (or another filename) and add it to the bottom WordPress set up listing. Paste the next snippet in your .htaccess file. As soon as the operation is over, be certain to delete or remark out these traces to return to total operation. You possibly can remark out by appending a ‘#’ in the beginning of every line.

# Redirect all site visitors to upkeep.html file
RewriteEngine on
RewriteCond %{REQUEST_URI} !/upkeep.html$
RewriteCond %{REMOTE_ADDR} !^
RewriteRule $ /upkeep.html [R=302,L] 

10. Customized Error Pages

404 template

You may also the .htaccess file to configure user-friendly customized error pages for errors similar to 403, 404 and 500. After you have ready your error web page – let’s say error.html, add it to your base WordPress set up listing. Then add the next code snippet to your .htaccess file to allow the customized error web page:

# Customized error web page for error 403, 404 and 500
ErrorDocument 404 /error.html
ErrorDocument 403 /error.html
ErrorDocument 500 /error.html


At this time we’ve learnt among the coolest htaccess hacks to strengthen your WordPress website. I might counsel you to check out every module one after the other whereas taking a backup of the .htaccess file earlier than and after testing every module. It is because the .htaccess file could be very important. A lacking ‘#’ character or misplaced ‘</IfModule>’ might destroy your website’s integrity. In case you entry your WordPress dashboard often on-the-go, it’s beneficial to not allow selective IPs to your wp-admin folder.

Download The WPSaviour App Now

Related posts
Beginner’s GuideBlogSecurityWordPress Security

A Simple Explanation of SSL Certificate Errors & How to Fix Them


24+ WordPress Security Tips


WordPress Security: Can Security Ninja Keep Your Site Safe?


How to Enforce Strong Passwords in WordPress

Sign up for our Newsletter and
stay informed

Fear Of Missing Out?

Sign up with your email address to receive WordPress tips and updates
Terms and Conditions apply
Click Me