Are you familiar with your WordPress install .htaccess file? This file is probably one of the most important configuration tools you could use to adjust the server settings to your needs, and to improve the performance and security of your website.

.htaccess stands for ‘Hypertext Access’, meaning that the file is subject to editing with a set of commands you could use to enable/disable functionality and widgets supposed to safeguard your website from hacker attacks, spammers, and similar threats.

Sometimes, the features are basic redirects looking to access a particular outer file, but sometimes they are more advanced and refer to content password protection or hotlinking prevention.

The .htaccess file can be found in the Multisite network (the root of the website), with a period in front of its name to insinuate that it is a hidden file and that you won’t get to see it unless you’ve confirmed the option.

In the WordPress case, .htaccess is applied to ease the creation of pretty permalinks, and will be automatically created once default URL settings are disabled. The file provides plenty of options for the users, as for instance adding rules which block unwanted visitors, or the popular 301 redirects.

As you can see, there is much more to .htaccess than permalinks. In fact, its strongest side is probably the capacity to reinsure your website, and protect it from hackers, spammers, and other unauthorized visitors.

In this article, we’ve summarized several important .htaccess snippets you could use to reaffirm the security of your website. Together with the main ones, we’ve included few additional ones we believe would be useful to you.

A tip for .htaccess beginners

The critical thing to do is to protect the .htaccess file before editing it, because of which we recommend you to back it up. Use the FTP client to connect to the site, and download the file to your device. If things don’t turn out the way you expect them to, you can always upload the original version of the file.

First of all, enable the visibility of your hidden files, and make sure the FTP client has all necessary permissions to perform this action. In case the .htaccess file is missing in the website’s root folder, you will have to create it a blank text one, and name it as .htaccess. Make sure you’ve written the name right, and try not to forget the period in front of it. When done, upload it to the root folder.

A secure .htaccess file

Before you consider any remodeling of your WordPress setup, make sure you’ve secured your .htaccess file. It is enough to insert the following shortcode, and the file will be safe from any unwanted external access. The code takes care of the sensitive characters in the file’s name, so even if you try to secure a file named .hTACcesS, the precaution will still apply.

orderallow,deny
deny from all
satisfy all

Protecting the wp-config.php

The same code can be used to protect all important WordPress files, but in case you want to protect the wp-config.php file, you should use this code:

orderallow,deny
deny from all

Hiding Directories and disabling public viewing of the WordPress installation

One of the things that make WordPress so popular is the ability to restrict public access and browsing of the directories, which you could do by inserting a simple piece of code inside the .htaccess file:

Options –> Indexes

This is supposed to block the access both to the main directory and its subdirectories, namely to any location where the change has been made.

Banning questionable IP addresses

In case you’re dealing with unusual and suspicious IP requests, you can use the IP address blocking option to prevent access to your website. All it takes is to open the .htaccess file and to add the following code:

orderallow,deny
deny from xxx.xxx.xx.x
allow from all

Using the .htaccess file to block image hotlinking

Hotlinking is a good tactic since it links your images with your website’s URL whenever they’re shared on other websites. Most often, hotlinking is used on discussion forums and community portals, but even by some website owners that make the mistake of enabling images to be removed from their posts without any intervention.

Hotlinking can be just as bad as it is good, meaning that it can slow the website down, but also increase the bandwidth expenses you’ve agreed about with your hosting provider.

Disabling hotlinking is not a good idea, but you can restrict it by allowing solely your website to change and execute imagery. For the purpose, copy the code below, and add it to the .htaccess file so that no one but you will get to hotlink your images. Meanwhile, don’t forget to replace the URL in the code with the one of your websites. Finally, confirm the disabled hotlinking choosing forbidden/custom image options.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/yourwebsite[NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]
Blocking include-only files

As a WordPress user, you’ve probably come across files that have no purpose and you never use. These files can be blocked or hidden by simply adding this code to the .htaccess file:

# Block the include-only files.

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/] \.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/. \.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

Banning someone from your website

If you know the IP address of a malicious party, you can completely ban them from your website using the snippet below. For example, you could ban someone who always leaves abusive comments or someone who has attempted to access your admin area.

orderallow,deny
deny from 123.456.78.9
deny from 987.654.32.1
allow from all

Redirecting URLs

301 redirects are important because they allow users to be noticed by search engines, and to inform them that the URL has been definitely transferred to another location. You can use them to redirect a post, page, folder, or even to replace your entire website.

Basically, you should use 301 redirects whenever the URL is altered, for instance when changing the domain or the permalink structure of the website or the page slug (my-article becomes myamazingarticle).

Everything that needs to be done is to add a Redirect 301 line followed by the previous location, and then the new one. This is how the final result should look like:

Redirect 301 /oldpage.html http://www.yourwebsite.com/newpage.html
Redirect 301 /oldfolder/page2.html /folder3/page7.html
Redirect 301 / http://www.mynewwebsite.com/
Protecting the website from script injections

This is a more advanced feature, but that doesn’t mean you won’t be able to use it. WP Recipies shared a way to use the .htaccess file; it can be used to prevent malicious code injections in the PHP files.

What hackers do when they land on your website is trying to make changes to both WordPress GLOBALS and _REQUEST variables with the aim to inject the malicious code inside them. The next code will help you prevent them from doing so, as it enables your server to refuse the change:

Options FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (|>) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule^(.*)$ index.php [F,L]
Conclusion

These tips and rules are the basics of WordPress protection, being at the same time your best insurance against hackers looking to change your settings to their advantage. Still, bear in mind that the changes are only the beginning, and you need few additional steps to bolster security. No website out there is 100% safe, which means that as hard as you try, there will still be something more to do.

Using the .htaccessfile is among the first and best practices to add some extra security. At the same time, it provides users plenty of room to experiment their own way and to choose the tools that can enhance their security.