Best .htaccess snippets to secure your WordPress blog from hackers

Best .htaccess snippets to secure your WordPress blog from hackers
There are many ways to secure your WordPress site from various forms of attack. One of the best techniques one can explore is the use of code snippets that you can throw into .htaccess file without thinking too much. These code snippets are one of the best ways to strengthen the security of your WP site, thus minimizing the risk of getting your website hacked.

What is .htaccess File?

An .htaccess file is a configuration file in your site’s directory which you can use to override the settings on your web server. With the right commands, you can store various settings including password, protecting directory, preventing image hot-linking, block IPs, files or folder from public access.

What is .htaccess File
WordPress users generally have their encounter with this file when they proceed to fix the permalinks on their website. However, the function of the file goes beyond simply fixing permalinks to override many other configurations mainly related to content control and management.

In this post, we are going to discuss about some relevant tips and tricks to do much more with .htaccess file. All the tips are useful, easy to follow, and will help you make the most out of the .htaccess file.

Note: this tutorial is applied to Apache, Light-speed servers only.

1. Blocking Unwanted IP Addresses

.htaccess file is great in blocking multiple IP addresses from accessing your website. It’s a useful trick for blocking comment spam and other malicious elements. You can go about it adding the following code in your .htaccess file.

# Block one or more IP address. Replace IP_ADDRESS_* with the IP you want to block

<Limit GET POST>
order allow,deny
deny from IP_ADDRESS_1
deny from IP_ADDRESS_2
allow from all

2. Disabling Directory Browsing

Most of the WordPress plugins have this facility. By disabling directory browsing, hackers won’t be able to access your site’s directory as well as its structure. To do this, all you need to do is just add the following code in .htaccess file.

Options -Indexes

3. Giving Permissions to Only Selected Files from WP Content

WP content is a file where most of your themes, plugins and other media related files reside. It’s a sensitive file and therefore should be dealt with proper care. To restrict the access of this file and selectively unblocking files such as JPG, PDF, DOCX, JS etc, you need to paste the following code snippet in your .htaccess file.

# Disable access to all file types except the following

Order deny,allow
Deny from all
Allow from all

4. Prevent Image Hotlinking

Image hotlinking or bandwidth stealing happens when people steal your files or images, directly taking the URL, without your knowledge. Apart from image stealing, the practice also takes the advantage of your bandwidth. Therefore, hotlink protection can save you lots of bandwidth by preventing other sites displaying your images. Adding this snippet in your .htaccess file will stop hotlinking on your website.

RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?*$ [NC]
RewriteRule .(gif|jpg)$ [R,L]

You’ll need to change the name of your website name and domain name, and also hotlin.gif to an image file on your server that informs you when hotlink is disabled on your website.

5. Tightening The Security of wp-config.php and .htaccess file.

As we know that wp-content is the most sensitive file of a WordPress powered website. It contains all the information from database to other access credentials and various critical data of your website. Owing to its such sensitivity, you’d definitely don’t want anyone to access this file for unwanted reasons. And for this, you need to block this file from public access. Secondly, there is no point of securing each and every file unless until you don’t tight the security of your .htaccess file.

You can disable the access of wp-content.php file with this following code in .htaccess file.

# Deny access to wp-config.php file

<files wp-config.php>
order allow,deny
deny from all

For .htaccess use the below mentioned code in the same file:

<Files .htaccess>
order allow,deny
deny from all

6. Use Browser Caching

Enabling browser caching is an ideal way to improve the speed and performance of your website. Although, there are various plugins to do this, but adding the below mentioned code in your .htaccess file will allow your website cache and fed quickly.

# Setup browser caching

<IfModule mod_expires.c>
ExpiresActive On
ExpiresByType image/jpg “access 1 year”
ExpiresByType image/jpeg “access 1 year”
ExpiresByType image/gif “access 1 year”
ExpiresByType image/png “access 1 year”
ExpiresByType text/css “access 2 month”
ExpiresByType application/pdf “access 2 month”
ExpiresByType text/x-javascript “access 2 month”
ExpiresByType application/x-shockwave-flash “access 2 month”
ExpiresByType image/x-icon “access 1 year”
ExpiresDefault “access 3 days”
<Files .htaccess>
order allow,deny
deny from all

7. Redirecting Users to the Maintenance Page

Whenever you migrate your website from one host to another or it is going under some kind of maintenance, it is always recommended to create a meaningful “maintenance” page to inform your visitors about the changes your website is going with. It’s a simple process, all you need is to create a maintenance.html file and upload it into your WP directory. For redirecting your users to this page add the following snippet in your .htaccess file.

RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^
RewriteRule $ /maintenance.html [R=302,L]

8. Creating Error Pages

You can make use of .htaccess file for creating custom 404, 403 and 500 error pages. It’s a simple process wherein you need to first create error.html page, and upload it in your WordPress installation directory. After this, enable the error page by adding the below mentioned snippet in your .htaccess file.

# Custom error page for error 403, 404 and 500

ErrorDocument 404 /error.html
ErrorDocument 403 / error.html
ErrorDocument 500 / error.html

And that’s all. Hopefully, you find the article useful and will use it efficiently dealing with the .htaccess file.