Protect Your WordPress Site with .htaccess

Lately there has been a spell of unwanted news kicking about the WordPress world. Many of my clients have reported increased levels of malicious activity on there sites, and some have reported huge jumps in the number of attempted accesses to the admin interface, i.e wp-admin and wp-login.

Fortunately for you, there are a number of measures you can take to further improve security on your WordPress based website.

Using .htaccess to Secure WordPress

A .htaccess (hypertext access) file is a directory level configuration file used by Apache. Apache being the predominant web serverΒ  for the majority of WordPress based websites. It is the most widely supported web server.

I will be honest here, I do not know enough about Microsoft servers to warrant writing about it. Hence I am leaving it out.

Another well used web server is Nginx, it doesn’t’ have an equivalent directory level config file, so I will not be talking about that here either.

So if you have an Apache web server and are concerned about security then this is definitely for you.

In this guide we will cover the .htaccess rules for Apache 2.2 and 2.4

How to Access .htaccess?

Your main .htaccess file will be located in the root folder of your WordPress install. You can access this by using an FTP program such as filezilla or by using the file manager on your server which comes with cpanel.

Protect wp-admin from Unwanted Users

Wp-admin is the gateway to your admin interface, it is generic across all WordPress based websites and everyone knows that. Those with malicious intent will exploit poorly secured web servers by constantly trying to login using admin and 100s of 1000s of password combinations. This is known as a brute force attack.

Notethe username admin should never be used, something more complex and less obvious will reduce the overall risk to your site, simply because many bots, target sites using the username admin.

To prevent unwanted users accessing wp-admin, create a new .htaccess and upload it to the wp-admin folder and add the following to the top.

Apache 2.2

order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx

Replace the (xxx.xxx.xxx.xxx) with your IP.

To add additional IP’s just copy the allow from line and change the IP.

Apache 2.4

As some users are now using Apache 2.4, it is appropriate to inform you that the above directive will not work. This is because the order deny,allow directive is deprecated in this version.

So to achieve the same results we need to add the following instead.

 Require all denied
 Require ip xxx.xxx.xxx.xxx

Once again replace (xxx.xxx.xxx.xxx) to your IP. Copy the require ip line and replace the IP to add more IP addresses.

So the above 2 directives basically say, unless someone has IP xxx.xxx.xxx.xxx they won’t be able to access those addresses and will be returned with a 404 not found.

Block Unauthorized Access to wp-login.php

If you don’t require members to login to WordPress or via WordPress then it makes sense to block access to wp-login.php

Bots will bombard this file just as much as wp-admin so to protect this file we will need to add the following to your main .htaccess file (same location as wp-admin, wp-content, wp-includes etc…).

NoteThe default .htaccess for wordpress looks like this.

# BEGIN WordPress
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Of course this differs if your site is in a sub directory. But it will look similiar.

Add the following above to block access to wp-login.php

Apache 2.2

<files wp-login.php>
  order allow,deny
  deny from all
  allow from xxx.xxx.xxx.xxx
</files>

Apache 2.4

<Files wp-login.php>
  Require all denied
  Require ip xxx.xxx.xxx.xxx
</Files>

Just to Clarify, your main .htaccess file will now look something like this.

<Files wp-login.php>
  Require all denied
  Require ip xxx.xxx.xxx.xxx
</Files>

#Other htaccess rules that you may have will be here, such as caching etc

# BEGIN WordPress
<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteBase /
  RewriteRule ^index\.php$ - [L]
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Block Unauthorized Access wp-config.php

Wp-config.php is a very important file as it contains valuable information and even more importantly the login information to your database.

To secure this we just apply the same method as above.

Apache 2.2

<files wp-config.php>
  order allow,deny
  deny from all
</files>

Apache 2.4

<Files wp-config.php>
  Require all denied
</Files>

Disable Directory Browsing

This can be done via the server, but for those with limited access you can also add this to your .htaccess to prevent access to directories such as plugins. By default WordPress has preventative measures against directory browsing through the use of an empty index.html or index.php. But we cannot assume that all the plugins and other 3rd party application follow the same practice. So for that reason we should still disable directory browsing by adding the following to the top of your .htaccess.

# Disable directory browsing
Options All -Indexes

Secure your Wp-Includes folder

The WordPress codex has the following recommendation to add a second layer of protection and I think it’s right to follow this recommendation.

This will prevent access to Scripts not intended to be accessed by a user.

Place this above your WordPress rewrite rules, just above the line that says # BEGIN WordPress

# Block the include-only files.
  RewriteEngine On
  RewriteBase /
  RewriteRule ^wp-admin/includes/ - [F,L]
  RewriteRule !^wp-includes/ - [S=3]
  RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
  RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
  RewriteRule ^wp-includes/theme-compat/ - [F,L]

Prevent Robots from Crawling just about everything

Bots will crawl just about everything on your site, so we need to tell them not to crawl unnecessary files and directories. This can be done via .htaccess but I prefer to use a robots.txt file.

Click here to learn How to configure Robots.txt for WordPress

Secure .htaccess

Well there is no point securing anything if people can access and modify .htaccess, so we should secure this also.

Add the following near the top of your .htaccess.

Apache 2.2

# Prevent .htaccess and .htpasswd files from being viewed by Web clients.
<FilesMatch "^\.ht">
  Order allow,deny
  Deny from all
  satisfy all
</FilesMatch>

Apache 2.4

# Prevent .htaccess and .htpasswd files from being viewed by Web clients.
<Files ".ht*">
  Require all denied
</Files>

It’s not all, there is more…

There are many more ways to protect your website, above we have covered just a few of them. Your server can also be secured further and by applying a few good practices such as strong passwords you can significantly reduce the possibility of being hacked or having your site compromised in some other way.

A few Other Tips to Consider

  • Utilize the security methods available from other potential access points such as hijacked email accounts.

Gmail has multiple levels of security and you should make use of all of them. The last thing you need is someone accessing your emails and doing a password reset.

  • Ensure you keep all your plugins and themes up to date
  • Keep backups of your site on your local computer as well as the server. (That way if your site got totally wiped, you still have something to fall back to.

Meet the Author

Matthew Horne

Matthew Horne is web developer who specializes in optimized development. He also builds custom solutions instead of reverting to plugins. Matthew Has a strong understanding of PHP, JavaScript, jQuery.

3 comments… add one
  • Mark Williams Apr 27, 2013, 1:58 am

    Hi Matt – good article mate. Asked you something last night on Twitter but thought it best to pop on here πŸ˜‰ Ok so this method is great for people (whether that be clients logging into to update their WP sites/blogs or owner/admins that have a “static” IP address). In my particular case, we run a dynamic, and some of our clients login thru various mobile devices using different Telco carriers, and the IP address often varies also. Now you mentioned in a tweet back to me, that yes, for those that HAVE an IP address, would need to be static. Initially I thought: “when wouldn’t they have one?” – but then… I’m thinking… I might be missing something?

    Would love to implement this method of security you outline here for clients going forward rather than having to install some of the “security” plugins out there (e.g. wordfence, better wp security) as I’m sure these plugins will have their drawbacks/problems if not now, but in the future. Plus fast (less plugins) is good πŸ™‚

    PS – your site loads like a rocket πŸ™‚ I’ve put together a few WP sites using Thesis and other frameworks but Thesis def. comes up trumps speed-wise πŸ˜‰

    Ok love to hear your opinion on this as I want to get everything as bullet-proof as possible going forward for my clients, and I don’t think the hackers are going to let up anytime soon πŸ˜‰

    • Matthew Horne Apr 27, 2013, 7:36 am

      Hi Mark, so basically the IP restriction is for those who have a static IP, you can add multiple IP addresses if needed. It also doesn’t work on those USB dongles (mobile wifi USB cards). However there are other ways to secure your site. One of them would be to actually add a second layer of protection by password protecting the files and/or folders. If you have Cpanel, this is really easy, but it can also be done via .htaccess

      I will write another post about password protecting files and directories, so what that would simply mean is, for example. wp-admin and wp-login would require 2 login phases. So even if your initial login is breached, there is still a second layer to go through, if both usernames and passwords are totally different and complex, then its pretty darn difficult to brute force your way in.

      Another method is to limit login attempts, again I will add this to my next post about securing wordpress.

      Ref, site, it’s not bad eh. My home page is a mere 108kb, yet it conveys a far greater message than my previous design. The efficiency of thesis is certainly at the top. Which is why I love working with it. I can crunch a site down to something very small, yet it will still look busy. But I prefer sites that are simple, to the point, and my philosophy is that the less options you give people, the more likely they are to do what you would like them to do, in an interactive sense.

      Stay tuned for another post on security.

      • Mark Williams Apr 28, 2013, 2:28 am

        Thanks for the clarification and the heads up on the other methods to secure the folders/logins Matt. I’ll stay posted for your articles as I’m now a fan of your work πŸ˜‰ meanwhile I’ll go ahead and implement those suggestions on securing the folders through cpanel.

        Yes your homepage is lean and mean. I hear you on the “less is more” approach seeming to become more prevalent these days and I def think that’s a good thing. From listening to guys like yourself and Chris Pearson I’m starting to develop an obsession with speed and efficiency as well – (adding to all the other disorders I have lol).

        Once again mate, thanks for the great info and keep up the good work.

Leave a Comment