How To Protect Your WordPress Site With Some Simple Tweaks To The .htaccess

WordPress is definitely not the most secure CMS on the planet.  I love WordPress for simple low traffic websites, it’s free, it has a ton of cool easy to use plug-ins that, in the majority of cases, removes the requirement for custom development, but, on the other hand, it’s always very prone to being hacked.

I’ve had several of my WordPress sites hacked over the years and it’s very annoying having to re-install things, delete infected files, deal with unwanted spam emails suddenly coming from your server.  Out of the box WordPress doesn’t provide any server level configuration to make WordPress secure.  However, with a few little tweaks you can dramatically increase your security.

.htaccess

The .htaccess is the file in your webroot that can be configured to tell the web server what files have access to run, what to do when an error occurs and a whole host of other things.  In order to make WordPress more secure we should be very interested in the part about allowing file access:

Disable Directory Browsing

If you have never heard of directory browsing and you run a WordPress site, type in www.yourwebite.com/wp-content/uploads. From here you will probably be able to see a list of files on your website. This breach of security can allow hackers to figure out what plug-ins you have installed, your file structure etc.. which can help them hack your website.  What we want to do is disable this, so when anyone tries to snoop on your webroot they will see a ‘403 Access forbidden’ error.

First open your .htaccess file in your webroot (you will have to do this either via your hosting companies control panel or FTP) and it should look like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

After the IfModule add in this single snippet, Voila!

# Disable directory browsing
Options All -Indexes

Deny Image Hotlinking

A hotlink exploit is a way that a hacker can hijack your websites bandwidth by hosting images on your website and displaying them elsewhere.  Preventing image hotlinking can save you lots of bandwidth by preventing other sites from displaying your images. To prevent this exploit under the above text add this:

RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC] RewriteRule \.(gif|jpg)$ http://www.yoursite.com/hotlink.gif [R,L]

In the snippet above change yourdomain.com to your domain, you will also want to upload an image called hotlink.gif in your webroot. If someone tries to exploit it, this is the image that will be displayed.

Protect Some Crucial Files From Being Accessed Remotely

You have a number of files and folders in your website that only ever need to run locally on the server.  If your WordPress does get exploited, then these files are the most likely ones to be used to further exploit your website.

wp-config.php This contains the most sensitive access credentials of your WordPress site.  We can protect it with this snippet

# Deny wp-config.php access
<files wp-config.php>
order allow,deny
deny from all
</files>

.htaccess After reading this tutorial, you should start to see how important this file is and it should be protected from anyone changing it, you can do this using:

# Deny .htaccess access
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>

wp-includes folder The wp-includes folder contains core WordPress files and should never be needed to be accessed by anyone, including yourself. To do this we use this snippet:

# Block wp-include from outside access
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
</strong>
<strong>xmlrpc.php</strong>
The last time one of my sites got exploited the XML-RPC file is the way to make remote procedure calls over HTTP.  So exploiting this allows hackers to do some annoying things on your website, so I like to lock this down as well, this can be done using this:
# Deny access to xmlrpc.php
<files xmlrpc.php>
order allow,deny
deny from all
</files>
# END WordPress

Restrict Access to Your Admin Area

This is the main thing you should do, so I have kept it until last.  On most exploits, a hacker will try and brute force your username and password to gain access to your WordPress site.  When they get access they can then do a number of nasty things.  In order to prevent brute force attacks, you can lock your admin section down based on your IP.  This means that only someone from your IP can access to the admin. There are a few ways to do this;  I recommend creating a new .htaccess file and putting it in your wp-admin folder. The new file should look like this:

order deny,allow allow from MYIP deny from all

To make this work, you simply change MYIP to your IP address. You can find this out by typing ‘whats my ip address’ into Google.  One thing to note is that most peoples don’t have fixed IP addresses and your IP might change.  If you try to access your ap-admin files after setting this up, then you may need to re-check your IP access and update your wp-admin .htaccess file.

This may seem like a pain, but this really is one of the number of ways your site can be hacked.  Personally I set mine, then log into my hosting companies file manager and update my IP address everytime I want to do a blog post.

Conclusion

In today’s guide, we’ve covered how to lock-up our WordPress site to significantly reduce the risk of our site being compromised.  We have modified our .htaccess file so it should look like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# Disable Directory Browsing and image hot linking
<IfModule mod_rewrite.c>
IndexIgnore *
Options -Indexes
RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC] RewriteRule \.(gif|jpg)$ http://www.mydomain.com/hotlink.gif [R,L]
</IfModule>
# Block wp-includes folder and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>
# Deny access to all .htaccess files
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
# BEGIN protect xmlrpc.php
<files xmlrpc.php>
order allow,deny
deny from all
</files>
# END WordPress

You should also have a wp-admin .htaccess that looks like this:

order deny,allow allow from 127.0.0.1 deny from all

Jon D Jones

Software Architect, Programmer and Technologist Jon Jones is founder and CEO of London-based tech firm Digital Prompt. He has been working in the field for nearly a decade, specializing in new technologies and technical solution research in the web business. A passionate blogger by heart , speaker & consultant from England.. always on the hunt for the next challenge

More Posts

1 reply

Trackbacks & Pingbacks

  1. […] talked previously about how to How To Protect Your WordPress Site With Some Simple Tweaks To The .htaccess.  In today’s guide, we are going to go one step further and set-up some custom error pages […]

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *