18 htaccess file codes to protect your website

Securing your WordPress website htaccess file

Protecting your WordPress site is crucial to safeguarding it against potential security threats. One effective way to enhance the security of your website is by utilising the power of the .htaccess file. Our WordPress Security experts regularly add the following 18 essential .htaccess code examples to WordPress and WooCommerce websites we develop and these examples can help you fortify your WordPress site against unauthorised access and potential vulnerabilities too:

What is the .htaccess File?

The .htaccess file is a configuration file used by the Apache web server to define directives that affect the behavior of your website. It resides in the root directory of your WordPress installation and can be modified to implement various security measures, such as restricting access to certain files or directories, blocking malicious requests, and more.

The Importance of Securing Your WordPress Site

WordPress powers a significant portion of websites on the internet, making it an attractive target for hackers and malicious actors. By taking proactive steps to secure your WordPress site, you can mitigate the risk of unauthorised access, data breaches, and other security incidents. The .htaccess file serves as a powerful tool in this regard, allowing you to implement security measures at the server level.

1. Block Directory Browsing

One of the first steps to securing your WordPress site is preventing directory browsing. By default, Apache allows users to view the contents of directories that don’t have an index file. However, this can expose sensitive information to potential attackers. To block directory browsing, add the following code to your .htaccess file:This code disables directory indexing and ensures that users cannot browse the contents of directories that lack an index file.

Options All -Indexes

2. Block Access to wp-config.php

The wp-config.php file contains sensitive information, including database credentials and security keys. It’s crucial to protect this file from unauthorised access. You can block access to the wp-config.php file by adding the following code to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

This code restricts access to the wp-config.php file, ensuring that it can only be accessed by the server and not by external users.

3. Block Access to .htaccess

Similar to wp-config.php, the .htaccess file itself should be protected. By preventing unauthorized access to this file, you maintain control over your website’s server-level configuration. Add the following code to your .htaccess file to block access:

<files .htaccess>
order allow,deny
deny from all
</files>

This code ensures that the .htaccess file is inaccessible to external users, reducing the risk of unauthorized modifications.

4. Block Access to PHP Files in the wp-content Directory

The wp-content directory contains essential files for your WordPress site, including themes and plugins. To enhance security, you can block access to all PHP files within the wp-content directory. Use the following code in your .htaccess file:

<FilesMatch ".(php)$">
deny from all
</FilesMatch>

This code prevents direct access to PHP files in the wp-content directory, adding an extra layer of security to your site.

5. Block Access to the wp-admin Directory by IP Address

Restricting access to the wp-admin directory based on IP address can significantly enhance your WordPress site’s security. By allowing access only to specific IP addresses, you limit potential attackers’ ability to reach the admin area. Add the following code to your .htaccess file:

<FilesMatch "^(wp-login.php)">
Order deny,allow
Deny from all
Allow from xx.xx.xx.xx
</FilesMatch>

Replace “xx.xx.xx.xx” with your actual IP address. This code ensures that only the specified IP address can access the wp-admin directory.

6. Block Access to the wp-login.php File by IP Address

In addition to restricting access to the wp-admin directory, you can further secure your site by limiting access to the wp-login.php file. Use the following code in your .htaccess file:

<FilesMatch "^(wp-login.php)">
Order deny,allow
Deny from all
Allow from xx.xx.xx.xx
</FilesMatch>

Replace “xx.xx.xx.xx” with your actual IP address. This code ensures that only the specified IP address can access the wp-login.php file.

7. Block Access to the xmlrpc.php File

The xmlrpc.php file in WordPress enables remote publishing and other functionalities. However, it can also be exploited by attackers. To protect your site, you can block access to the xmlrpc.php file by adding the following code to your .htaccess file:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

This code denies access to the xmlrpc.php file, preventing potential vulnerabilities associated with it.

8. Disable Server Signature

Server signatures reveal information about the server software, which can be useful for attackers. Disabling server signatures adds an additional layer of security. Add the following code to your .htaccess file:

ServerSignature Off

By turning off server signatures, you minimise the amount of information available to potential attackers.

9. Block Direct Access to the wp-includes Directory

The wp-includes directory contains critical WordPress files. Preventing direct access to this directory helps protect your site against potential security risks. Add the following code to your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

This code utilises mod_rewrite to block direct access to the wp-includes directory, enhancing the security of your WordPress site.

10. Protect the wp-config.php File

The wp-config.php file contains sensitive information, as mentioned earlier. In addition to blocking access, you can add an extra layer of protection to this file. Use the following code in your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

This code ensures that even if the server misconfigures, the wp-config.php file remains protected.

11. Prevent Hotlinking

Hotlinking refers to other websites directly linking to resources on your site, such as images, which can consume bandwidth and affect performance. To prevent hotlinking, add the following code to your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourwebsite.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ - [NC,F,L]

Replace “yourwebsite.com” with your actual website domain. This code blocks hotlinking from external domains.

12. Block Access to Specific File Types

Some file types may pose security risks if accessed directly. You can block access to specific file types using the following code in your .htaccess file:

<FilesMatch ".(htaccess|htpasswd|ini|log|sh|inc|bak|old|sql)$">
Deny from all
</FilesMatch>

This code denies access to files with extensions like .htaccess, .htpasswd, .ini, and others, which are often targeted by attackers.

13. Disable Directory Indexing

Disabling directory indexing prevents the server from displaying a list of files when no index file is present in a directory. To disable directory indexing, add the following code to your .htaccess file:

Options -Indexes

By disabling directory indexing, you prevent potential attackers from exploring the contents of directories without an index file.

14. Block Access to wp-content/uploads/ Directories

The wp-content/uploads/ directory contains media files uploaded to your WordPress site. Restricting access to this directory enhances security. Add the following code to your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-content/uploads/(.*)$ wp-content/uploads/$1 [NC,F,L]
</IfModule>

This code prevents direct access to files within the wp-content/uploads/ directory, reducing the risk of unauthorised file downloads.

15. Block Access to the wp-includes Directory

To further secure your WordPress site, you can block access to the wp-includes directory. Use the following code in your .htaccess file:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

This code employs mod_rewrite to block direct access to the wp-includes directory, reducing the exposure of critical WordPress files.

16. Block Access to Specific IP Addresses

If you want to restrict access to your WordPress site from specific IP addresses, you can utilise the following code in your .htaccess file:

<Limit GET HEAD POST>
order allow,deny
deny from 123.456.789
allow from all
</Limit>

Replace “123.456.789” with the IP address you want to block. This code denies access to the specified IP address while allowing access to all other users.

17. Block XML-RPC Requests

XML-RPC can be used for remote code execution and DDoS attacks. Blocking XML-RPC requests can help protect your WordPress site. Add the following code to your .htaccess file:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

This code denies access to the xmlrpc.php file, mitigating potential security risks associated with XML-RPC.

18. Limit Login Attempts

To protect your WordPress site from brute-force attacks, you can limit the number of login attempts. Add the following code to your .htaccess file:

<Files wp-login.php>
order deny,allow
Deny from all
allow from xxx.xxx.xxx.xxx
</Files>

Replace “xxx.xxx.xxx.xxx” with your IP address or the IP address you want to allow. This code restricts access to the wp-login.php file, making it more difficult for attackers to guess passwords through repeated login attempts.

WP Focus WordPress Security Services

At WP Focus, we understand that not everyone is comfortable with editing the .htaccess file. That’s why we offer WordPress security services to help you safeguard your website. Our team of experts can implement these security measures and more, providing you with peace of mind and ensuring that your WordPress site is protected against potential threats.

From regular backups and malware scans to security audits and vulnerability patching, we take a comprehensive approach to WordPress security. Don’t leave the security of your website to chance. Contact us today to learn more about how our services can help you protect your WordPress site with the best security practices and solutions.

Conclusion

Securing your WordPress site is of utmost importance to protect your website from potential threats. By utilising the .htaccess file and implementing the provided code examples, you can enhance the security of your WordPress site significantly. Remember to make backups of your .htaccess file before making any modifications and test your website thoroughly after implementing changes.

Take proactive steps to protect your website and ensure a safe browsing experience for your visitors. By implementing the recommended security measures, you can minimise the risk of unauthorised access, data breaches, and other security incidents.

FAQs

1. Can I add multiple code examples to my .htaccess file?

Yes, you can add multiple code examples to your .htaccess file. Ensure that each code snippet is separated by a new line and properly formatted.

2. How can I check if my .htaccess file is working correctly?

To check if your .htaccess file is working correctly, you can make a temporary change, such as redirecting a specific URL or blocking access to a test file. Test the functionality and ensure that the desired result is achieved. You can also monitor your website’s behavior and access logs to confirm that the changes are implemented as intended.

3. Is it necessary to back up my .htaccess file before making changes?

Yes, it is crucial to back up your .htaccess file before making any changes. This ensures that you can revert to the previous configuration if something goes wrong or if you encounter unexpected issues. Keep a copy of the original .htaccess file in a secure location.

4. Can I customise the code examples to fit my specific needs?

Absolutely! The provided code examples serve as a starting point. Depending on your specific requirements and website configuration, you may need to customise the code snippets accordingly. Make sure to understand the purpose and implications of each code example before making any modifications.

5. Are there any potential risks associated with editing the .htaccess file?

Editing the .htaccess file requires caution and understanding of the directives you are implementing. Incorrect configuration or syntax errors can lead to website issues or even server misconfigurations. Always double-check your code, make backups, and test your website thoroughly after making changes to the .htaccess file.

Get Started

Ready to get going? Click on one of the buttons below and tell us more about the web design, web development or website fix you need and we will be in touch with you within hours with some options to get your business moving in the right direction