Creative Website Design

1519 E. 14th St

Russellville, AR 72802

1 479 747 7202

Give Us A Call

Mon - Fri: 7:30 - 12:30

Phone Call Availability

Harden WordPress Security via htaccess

Harden WordPress Security via htaccess

Share on facebook
Share on google
Share on twitter
Share on linkedin

It should certainly come as no surprise that over the past few weeks, WordPress websites have come under attack. In this article we are going to be address how to harden WordPress security via htaccess.

Where Your Security Should Start

I’m a firm believer that the security of your website should start at the core level, which would be where your website is hosted. For years, many people have turned to shared hosting as their platform for getting up and running with WordPress.

While I fully understand the cost prohibitiveness behind this, what doesn’t make sense is how you could be opening doors to those would-be hackers who have nothing better to do than to see if they can hack their way into your website.

I don’t want to get into the game of calling out any one or several cheap shared hosting providers, as I think the vast majority of us understand who they are.

Your A Single Property, Not A Motel

Say what? Let me break it down like this. If you’re using a shared hosting provider, it’s much the same as living in an apartment complex. You have neighbors, but you can necessarily control what your neighbors do. If you’ve ever experience having the dreaded bugs in your home that nobody ever wants, then you will understand where I am going with this.

However, if you live in a single family dwelling you have more control over situations like this and are less apt to be disturbed by what your neighbors are doing unless you live right on top of each other.

Top Level Hosting Security

There are several top-level hosting providers who are set up to cater specifically to WordPress based websites and have security at the very forefront of their services included within the various packages they offer.

My personal favorite is FlyWheel. FlyWheel offers one of the premiere security features across the board. Sucuri is their turn-to partner. In the event that someone would hack into their site, they take immediate actions to both prevent further attacks as well as remove any malicious code that may have been injected without doing any further damage.

It’s all about the control factor.

Security Plugins

While I am not a huge fan of having to use security plugins, as I feel they add unnecessary bloat and most people do not know how to properly configure them and end up doing more damage than what they were trying to prevent.

Furthermore, if you’re dealing with a top-end hosting provider, they will not even allow you to allow the installation of these plugins.

With the introductory information being out of the way, let’s begin taking a look at the code you will need.

Code To Harden WordPress Security via htaccess

Protect your .htaccess file

#Protect .htaccess
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Protect your wp-config.php file

# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all

Protect your error_log file

#Protect error_log
<files error_log>
order allow,deny
deny from all

Protect your WordPress Website from SQL Injection

In my opinion, this has to be one of the most critical points that you can harden. Most general attacks to your site are going to rely upon the utilization of SQL injections into your website.

#Protect from SQL Injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (< |%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Restrict Direct Access to Plugin and Theme PHP files

# Restrict Direct Access to Plugin and Theme PHP files
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

Secure the wp-includes Directory

# Protect Include-Only files
<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

Don’t Let People Browse your Directories

# Disable directory browsing
Options All -Indexes

Block Author Scans

I want to stop and highlight on this one for a brief moment. By default WordPress assigns the #1 to the default admin user of the account. When initially installing a fresh copy of WordPress, give both a username and password that has absolutely nothing to do with your identity. After you have set up your admin username and password, then go in and create a login for the “Editor Position” for yourself.

You should really only be using the Admin login for updates and things of that nature.

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans

Block WordPress XMLRPC Requests

Let’s tap on this subject for second. If you are NOT going to be using the JetPack plugin to share to your social networking sites, then I highly recommend that you put this into play. It is another area that seems to be soft and often finds itself subject to malicious hacks.

# Block WordPress xmlrpc.php requests
<files xmlrpc.php>
order deny,allow
deny from all

Looking At Other Methods Of Increasing WordPress Security

Now that you have a few amazing snippets of coding to place into your .htaccess file, let’s take a moment to examine another area that seems to be easy pickings for would-be hackers.

Everyone knows that the way to the login page for most WordPress sites is

Why not utilize a plugin to rename that to something like “*56dhbldMnbls87^%,” you get the idea. You can name this to anything you would like, and the harder you make it to guess or to find, the less you are going to have the autobots trying to slam your login page.

Of course their other things you can do to circumvent unwanted hackers. Limit login attempts, automatically blog anyone that tries using the “Admin” username. Also, check into using two-factor authentication.

While using any of the above methods is not a 100% guarantee to preventing anyone hacking your site, I can promise you that you will make significantly harder for them to get in. Many when denied very quickly will be about their business.

Before You Begin Hardening WordPress Via Your .htaccess

Okay, hopefully after reading this, you’ll be better equipped and ready to dive in and make some crucial changes.

As always, make sure you have completed a backup of your site. As you begin implementing each piece of code provided above, make sure that you have your browser open in a incognito window or even another browser and refresh it as you implement each code to ensure that your website still performs without any hick-ups

Let me know if you used any of these and other ways that you are looking into to increase the security of your WordPress website design.

Share on facebook
Share on google
Share on twitter
Share on linkedin

Keep Current With Trending Design Features & Ideas

Greg Hyatt

Thanks For Reading Today!

Things change across the Internet almost on a daily basis! Our goal is to provide you with useful and insightful content that provides you with the tools you will need to keep your online presence looking sharp!

The easiest way is by subscribing to our monthly news letter!

Let's Get Started

Drop us a quick note so we can help you determine your best solution to deliver your online presence.

Tell us about your online needs