Chat with us, powered by LiveChat

This website uses cookies

Our website, platform and/or any sub domains use cookies to understand how you use our services, and to improve both your experience and our marketing relevance.

Use WordPress .htaccess File to Secure Your Website for Users and Search Engines

March 29, 2017

4 Min Read
WordPress .htaccess
Reading Time: 4 minutes

WordPress – The most widely used Content Management System (CMS) in today’s internet realm – due to its popularity, is an incredibly attractive target for hackers. .htaccess is the most essential file for any website. You can do a lot of things using the WordPress .htaccess file. You can restrict your website access. It can be placed in any folder of the website to change the behavior of that folder.

Precautions:

As you’re aware, .htaccess is the control room of your whole website. Even a single misspelt dot (.) can destroy your complete website. Before making any changes, back up your .htaccess file to an offsite location.

So, here we go!

By default, every web hosting has .htaccess file in the root directory. If it is not available, you can create one by opening Notepad and saving it with the name “.htaccess”. Be sure it’s not “htaccess”, its “.htaccess” and set “Save as type” to “All files”. Upload it to the root directory of your WordPress hosting server.

Save as .htaccess

1. Protect .htaccess

.htaccess has the ability to control your whole website. It is important to first protect this file from unauthorized users. By using the snippet below, you can restrict access to unauthorized users. But, you can edit the file from FTP and your hosting.

Just copy and paste the snippet below into your .htaccess file.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

2. Protect wp-config.php

In WordPress, wp-config.php is the file where your hosting, database and other important credentials are saved. Therefore it is also required to restrict unauthorized access to this file. Copy and paste lines of code below, in your .htaccess file.

<files wp-config.php>
order allow,deny
deny from all
</files>

3. Protect /wp-contents/

Wp-contents is the folder in your WordPress directory that contains files of your themes, plugins, media and cached files. That’s why this directory is the main target for hackers and spammers. Create a separate .htaccess file. Copy and paste the snippet below, in that file.

Order deny,allow
   Deny from all
   <Files ~ ".(xml|css|jpe?g|png|gif|js)$">
   Allow from all
   </Files>

Now, upload it to “www.yourwebsite.com/wp-contents/” folder.

By uploading this file, only media files are allowed to be uploaded including XML, CSS, JPG, JPEG, PNG, Gif, and Javascript. All other file types will be denied.

4. Protect Include-Only files

There are some areas in WordPress that never have to be accessed by the user. It’s better to block access to those files. You can place blocks by adding the snippet below, into your .htaccess file.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

5. Limit Access to WordPress Admin Panel

What if someone gets access to your Admin Panel? This is another entry point for hackers to destroy your website. If anyone gains access to the admin panel, he can do almost anything to your website. To get rid of such attempts, you can provide admin access to specific IP’s only. Create another .htaccess file by pasting the snippet below and upload it to “www.yourwebsite.com/wp-admin/” folder.

# Limit logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
allow from 12.34.56.78
</Limit>

If someone else tries to login to your website – other than the above IPs – he will face the error shown below.

Internal Server Error

Don’t forget to change “12.34.56.78” to your own IP address. You can easily get your IP by visiting “What is my ip”. If you’ve got more than one moderator, you can also add more IP’s like this.

allow from 12.34.56.78 98.76.54.32 19.82.73.64

6. BAN Someone from Your Website

If you know someone is abusing your website, continuously spamming or launching hacking attempts, you can get his IP from your WordPress Admin Panel and add that IP to your .htaccess file to completely restrict access to your website. Just copy & paste the snippet below into your .htaccess file and he’ll not be able to access your website. Be sure to replace the IP address of that spammer.

<Limit GET POST>
order allow,deny
deny from 123.456.78.9
allow from all
</Limit>

He’ll get this error whenever he wants to access your website.

Forbidden Error

7. Disable Directory Browsing

Unauthorized access to your files and folders can be a major security risk.

By adding the snippet below into your .htaccess file, access to your directories will be disabled.

# disable directory browsing
Options All -Indexes

8. Redirect a URL

A 301 error tells search engines that a URL has been permanently moved to another new location. You can redirect that old URL to the new one by using .htaccess. This is not limited to URLs only, you can redirect a folder, page or even a complete website. You just have to add the few lines of code below, to your .htaccess file.

Redirect 301 /oldpage.html http://www.yourwebsite.com/newpage.html
Redirect 301 /oldfolder/page2.html /folder3/page7.html
Redirect 301 / http://www.mynewwebsite.com/

The first step to secure your WordPress website is your hosting. Sign up on secure Managed WordPress Cloud hosting. Then, you’ve got to secure it manually by implementing the above-mentioned tricks.

Looking for better performance and security?

Migrate your WordPress website to Cloudways at zero cost.

To move to the next step for complete prevention from different kinds of attacks, there are a number of Plugins available on the WordPress repository. Some of the most popular ones are:

  1. Wordfence
  2. iThemes Security
  3. Sucuri Security
  4. All In One WP Security & Firewall

That about covers it for now. I hope you found this post informative. Implement these tricks on your WordPress site, and then test your security or you can follow these 10 WordPress security issues & how to fix them. Let me know if you have any questions or concerns, and I’ll get back to you.

Share your opinion in the comment section. COMMENT NOW

Share This Article

Start Growing with Cloudways Today!

We never compromise on performance, security, and support.

Mustaasam Saleem

Mustaasam is the WordPress Community Manager at Cloudways - A Managed WordPress Hosting Platform, where he actively works and loves sharing his knowledge with the WordPress Community. When he is not working, you can find him playing squash with his friends, or defending in Football, and listening to music. You can email him at mustaasam.saleem@cloudways.com

Get Our Newsletter
Be the first to get the latest updates and tutorials.

Do you like what you read?

Get the Latest Updates

Share Your Feedback

Please insert Content

Thank you for your feedback!