Protect your WordPress site with .htaccess

Protect your WordPress site with .htaccess

By Paul Maloney on | 31 comments
  • Knowledge needed: Basic coding, experience with WordPress
  • Requires: WordPress 3.1+
  • Project time: 30 minutes

WordPress is the world’s most popular CMS with over 70 million users, but how safe is your install? Paul Maloney shows you how to secure your WordPress site with .htaccess.

WordPress is without doubt the most popular CMS at this moment in time, dwarfing other options such as Joomla and Drupal.

While this is a good thing for WordPress, it now has a very large and active community contributing plug-ins, themes and fixes, but with this growth it now also has its bad points … When anything becomes this big, people will find ways to attack the CMS in question for whatever reason they see fit.

Our job as WordPress users (aside from contributing to the WordPress community) is keeping our installs safe from people we do not want to access our sites.

There are numerous plug-ins to help shore up our WordPress defenses such as Login LockDown which records IP address and blocks them after a set number of login attempts which helps against brute force attacks.

Another is WP Security Scan which checks your install for vulnerabilities and suggests possible methods for fixing anything it may find.

One of the most ignored methods of keeping your install safe is updating your install when updates become available which ensures all of the latest patches and fixes are applied to your site. (You can also remove the readme.html and license.txt files from the root directory as they display the version number of WordPress you have installed.)

Configuring the .htaccess file

Aside from plug-ins there are a number of additions you can make to your .htaccess file which in conjunction with plug-ins and regular updates will tighten up your site’s security and give you that extra level of protection.

I'm going to cover a few of these that I feel protect some of the essentials in your WordPress install and show you how and where to add the code snippets; you don't have to use every single one, just whatever you feel would help you secure your site.

The typical WordPress .htaccess file looks similar to this:

  1. # BEGIN WordPress
  2. <IfModule mod_rewrite.c>
  3. RewriteEngine On
  4. RewriteBase /
  5. RewriteRule ^index\.php$ - [L]
  6. RewriteCond %{REQUEST_FILENAME} !-f
  7. RewriteCond %{REQUEST_FILENAME} !-d
  8. RewriteRule . /index.php [L]
  9. </IfModule>
  10. # END WordPress

I would suggest any additions to the .htaccess file to be added after # END WordPress.

This will ensure you don’t break any of the WordPress based .htaccess functions. Before making any changes to your .htaccess file I strongly recommend backing it up and keeping it stored in a safe place!

Protect wp-config.php

wp-config.php is the file in your root directory that stores information about your site as well as database details, this file in particular we would not want to fall into the wrong hands.

In your .htaccess add the following to prevent any access to the wp-config.php file:

  1. <Files wp-config.php>
  2. order allow,deny
  3. deny from all
  4. </Files>

Admin access from your IP only

You can limit who can access your admin folder by IP address, to do this you would need to create a new .htaccess file in your text editor and upload to your wp-admin folder.

The following snippet denies access to the admin folder for everyone, with the exception of your IP address, but please note if you have a dynamic IP, you might have to regularly alter this file otherwise you will be denied access yourself!

  1. order deny,allow
  2. allow from 202.090.21.1 (replace with your IP address)
  3. deny from all

Banning bad users

If you have the same IP address trying to access your content or trying to brute force your admin pages, you can ban this person using .htaccess with this simple snippet:

  1. <Limit GET POST>
  2. order allow,deny
  3. deny from 202.090.21.1
  4. allow from all
  5. </Limit>

This person will now not be able to access your site. You can add more by replicating the deny line, for example:

  1. <Limit GET POST>
  2. order allow,deny
  3. deny from 202.090.21.1
  4. deny from 204.090.21.2
  5. allow from all
  6. </Limit>

No directory browsing

As WordPress is now so popular many people know the structure of a WordPress install and know where to look to discover what plug-ins you may use or any other files that might give away too much information about your site, one way to combat this is to prevent directory browsing.

  1. # directory browsing
  2. Options All -Indexes

Prevent Access To wp-content

The wp-content folder contains images, themes and plug-ins and it's a very important folder within your WordPress install, so it makes sense to prevent outsiders accessing it.

This requires it's very own .htaccess file which must be added to the wp-content folder, it allows users to see images, CSS etc … but protects the important PHP files:

  1. Order deny,allow
  2. Deny from all
  3. <Files ~ ".(xml|css|jpe?g|png|gif|js)$">
  4. Allow from all
  5. </Files>

Individual File Protection

There are certain files you might want to protect individually rather than blocking a whole folder or selection. The example snippet shows how you would prevent access to the .htaccess file and will throw a 403 if accessed by anyone. The file name can be changed to whatever file you wish to protect:

  1. # Protect the .htaccess
  2. <files .htaccess="">
  3. order allow,deny
  4. deny from all
  5. </files>

Protect .htaccess

Sounds crazy, huh? We spend so much time worrying whether we have the right plug-ins and fixes installed, we overlook the fact the .htaccess file is still open to attack.

This snippet basically stops anyone viewing any file on your site that begins with "hta", this will protect it and make it somewhat safer.

  1. <Files ~ "^.*\.([Hh][Tt][Aa])">
  2. order allow,deny
  3. deny from all
  4. satisfy all
  5. </Files>

We have covered how to ban users, prevent anyone but you accessing your admin folder, how to prevent directory browsing, protecting your wp-config.php file, protecting your wp-content folder, protecting individual files and even protect your .htaccess file.

This list of snippets is by no means exhausted, there are a number of other things you can do to protect your site via .htaccess, but the items I have covered help to protect some of the key files and folders on your site and keep them away from prying eyes.

31 comments

Comment: 1

For added security you can also put your wp-config file below your publicly accessible web directory. So for example with an apache system rather than having your .htaccess file in /home/your_dir/public_html/ put it in /home/your_dir/ instead.

I believe you can have the wp-config.php file one directory below where your main Wordpress installation is, correct me if I am wrong though!

Comment: 2

For security, I have used third party site like cloudflare, we just need to change our name server to given name server from cloudflare, and it will filter web visitor.

Comment: 3

janwoostendorp
I always put a redirect on my wp-config to root in my .htaccess

Comment: 4

Blocking access to all of wp-admin like that is going to cause trouble if your theme or plugins use AJAX. The preferred way of doing AJAX in WordPress is to go through admin-ajax.php, whether the request needs admin privileges or not.

Nicolas Kuttler has a guide up showing how to password protect wp-admin while still letting AJAX requests through: http://www.nicolaskuttler.com/post/htaccess-protect-wordpress-admin/

Comment: 5

tgroff
Yes, it's clear that there are more WordPress downloads than Drupal downloads. But comparing Drupal March 2011 downloads to WordPress March 2012 downloads? WTF? I happily use both Drupal and WP in my daily work, but comparing download totals 1 year apart is not cool.

Comment: 6

Sorry tgroff, couldn't find any more upto date "accurate" stats :(

Comment: 7

Thanks Paul - great stuff. I agree with @fortewebsolutions on moving your wp-config.php out of the web tree and would also recommend supplementing your .htaccess rules with the 5G .htaccess blacklist that Perishable Press has put together (http://perishablepress.com/5g-blacklist-2012/).

It may take some tweaking of a line or two and some of the rules wont be applicable to every Wordpress install but its a good boilerplate.

The Bulletproof Security plugin does some similar .htaccess filtering. The wordpress plugin is a bit clunky so I'm plan to experiment with the htaccess rules it creates and may just use those without the plugin.

Comment: 9

Great topic. I have implemented some of these measures. I use timthumb.php on certain sites and notice that when applying deny access to wp-content timthumb is knocked out. Any thoughts or work arounds?

Comment: 10

Hi gotdistracted,

timthumb.php has been open to vulnerabilities in the past, it's best to use something like: http://codex.wordpress.org/Post_Thumbnails

order allow,deny
Allow from all

This with a few location tweaks would allow that file to be accessed though :)

Comment: 12

Its better to utilize .htaccess to fine tune the seo efforts.. Nice Post

Comment: 13

Well, though I knew htaccess file is very much important for your website if all you have hosted in PHP web server with Apache web server. Though till date I use to make use of htaccess file for redirection, URL rewriting and so on but today I have added some thing new to my list.

website development

Comment: 15

Just an FYI, your snippet for protecting the wp-content folder breaks CAPTCHA images in the default WP Comments form. Everything else seems rather tidy.

Comment: 16

Just like iPhones, when there's a critical mass of users there's the impetus to exploit the weaknesses for profit.

That tutorial.

Comment: 18

Barnez
Thanks for the article. .htaccess was an alien term to me at the beginning of the year. However, thanks to articles like this I have beefed up my security and feel like my site is now more safely secured.

ELC proofreading your documents

Comment: 19

ringen00
Hi!

It looks like after updating to 3.4.1 when I open password protected posts, after entering the post password wordpress is asking me to enter the htaccess password too.

In the root directory of wordpress I have a htaccess file which is securing wp-config.php and wp-login.php with a password.
If I try to open password protected posts exactly this htaccess passwort has to be entered (after entering the specified post password).
I feel like this behaviour started after updating wp to version 3.4.1.

Is there an option to change the htaccess entries which do protect the config and login file so password protected posts can be opened by just entering one single (post related) password?

Or will I have to delete these entries in order to let wordpress work properly again?
If yes, which entries shall be removed?

I would really appreciate to find out which feature of 3.4.1 in detail is responsible for this new strange behaviour - I remember having read something security related in the changelog . . . :-)

Btw. it's a MultiSite Installation of Wordpress!

This is the actual content of my htaccess:

# protect wpconfig.php

Order deny,allow
deny from all

# protect wp-login.php

AuthName "Admin-Bereich"
AuthType Basic
AuthUserFile /usr/www/users/xxx//.htpasswd
require valid-user

order deny,allow
deny from all

RewriteEngine On
RewriteBase /blogtest/
RewriteRule ^index\.php$ - [L]

# uploaded files
RewriteRule ^([_0-9a-zA-Z-]+/)?files/(.+) wp-includes/ms-files.php?file=$2 [L]

# add a trailing slash to /wp-admin
RewriteRule ^([_0-9a-zA-Z-]+/)?wp-admin$ $1wp-admin/ [R=301,L]

RewriteCond %{REQUEST_FILENAME} -f [OR]
RewriteCond %{REQUEST_FILENAME} -d
RewriteRule ^ - [L]
RewriteRule ^[_0-9a-zA-Z-]+/(wp-(content|admin|includes).*) $1 [L]
RewriteRule ^[_0-9a-zA-Z-]+/(.*\.php)$ $1 [L]
RewriteRule . index.php [L]

Comment: 20

I think a better option to limiting access to your wp-admin folder by I.P address is to password protect it instead.

Comment: 22

codesoc
This post saved me from more searched on google. Thanks for nice security tips.

Comment: 23

epape
ad all this to my file but got an error on my blog...

403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

Comment: 24

Great article. Many thanks! :)

Any of this entries could decrease SEO?

Comment: 26

rrhobbs
Is it possible that some (reputable) plugins might somehow need access to either wp-content, wp-admin, wp-config or the WordPress version? - or is that an insecure coding notion ?

Meanwhile, back at the ranch... Website Defender (WSD) was reported to me (by the Author of CrudArrest Plugin) to have the zaniest WordPress version cloaking of all - according to DC it echoes a different version of WP anytime the version is requested.

Beware of some of the features of WSD (same maintainer as Security Scan) - there are reports of the Database Options Renamer being broken in the current version. It thru a PHP error on my site just examining that area and also in the current version when you activate it it reports the security features being disabled, but according to the WSD it is a "rendering problem to be fixed in the next release, but all the security features are actually working" (?)

You can find this info in the support area of the WSD site. WSD seems like a great idea but perhaps it is a "diamond in the rough"?

Comment: 27

Very nice article. I believe it covers everything that is possible through .htaccess.

Comment: 28

michaellevy
This is a great article. It has been very helpful.

The snippet below extends the htaccess file in wp-content to documents like pdf,and doc

Order deny,allow
Deny from all

Allow from all

Comment: 29

michaellevy
My comment didn't come through correctly.
The snippet can be expanded to include commonly uploaded documents:

xml|css|jpe?g|png|gif|js|pdf|doc|docx|xls|xlsx

Comment: 30

With the recent BotNet attacks on WP sites, plugins like 'lockdown wp admin' dont necessarily work as they will block access for a particular ip after x amount of failed login attempts, but still allow more attempts from other ip's. Apparently the BotNet now has 1000's of ip's to use to plugins such as that would fall over. Only allowing access for your ip in the htaccess detailed inthis post is a great step. Just remmeber many ISP's will have dynamic ip's so you may have to ftp, edit the htaccess to your new ip quite alot, a small price to pay.

Comment: 31

Thank you for the great tips. I got a site where people can listen and download music legally for free. What type of security can you recommend for me? cheers in advance
June issue on sale now!

The Week in Web Design

Sign up to our 'Week in Web Design' newsletter!

Hosting Directory
.net digital edition
Treat yourself to our geeky merchandise!
site stat collection