Securing WordPress using your htaccess file

Securing your website should be a primary concern of any website owner, whether a hobbyist or corporate webmaster. Most unsupervised installations include no security at all leaving them open to hacks and malicious code. While there are many security plugins for the WordPress CMS, there is also huge potential within the platform itself. Namely, the htaccess file.

The .htaccess file is a core file that sits above the CMS and is referenced directly by the web server. It can be used for a multitude of reasons, from speeding up the website to preventing hacks.

To locate your .htaccess file, log into your hosting using FTP or your host’s control panel and check the file structure. Depending on your host, it will either be at the top level of the file structure or inside a directory such as public_html. Take a copy of the original file before making any changes. Then, if anything goes wrong you can quickly revert back to a known working version.

IP blocking with the htaccess file

If you use an IP tracking app and notice an IP address continually trying to log in using your credentials, you can block it using the .htaccess file.

Copy this code onto the end of the file.

<Limit GET POST>

order allow,deny

deny from IP_ADDRESS

allow from all

</Limit>

Add the specific IP address where is says ‘IP_ADDRESS’. You can add multiple addresses, just paste a new line per address.

Disable directory browsing

If your website is hosted on an Apache webserver, it is possible for a browser or bot to browse your directory structure as well as the site itself. This means any hacker can browse your directories and see what is behind the site. You don’t want this as you don’t want people knowing what’s on your web server or what security plugins you might be using.

Copy this code into your .htaccess file

# Disable directory browsing

Options All -Indexes

Restrict access to wp-admin

If you run a WordPress site, you will know that you access the dashboard through your website URL with /wp-admin at the end. Restricting who can access the login page for wp-admin has obvious security benefits, so limiting access to it is a no brainer.

# Limit logins and admin by IP

<Limit GET POST PUT>

order deny,allow

deny from all

allow from IP_ADDRESS

</Limit>

Add the specific IP address you want to allow where it says ‘IP_ADDRESS’.

This is only really effective if you use a static IP and could cause problems if you use a dynamic IP address. Dynamic IP addresses are typical for those on ADSL, 3G, 4G and Wi-Fi hotspots. If you regularly use any of those to manage your site, this may not be for you.

Prevent image linking

If you create images, videos, infographics or other linkable content it might be a good idea to prevent other sites linking to them. There are many scraper websites that will happily promote your images for their own gain. They will use your bandwidth allocation and slow down your site. Prevent it with this code.

# Prevent image hotlinking script.

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)'://(www\.)'yourwebsiteURL.co.uk [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/MlQAH71.jpg [NC,R,L]

Enable browser caching

While not a security hack, it is an extremely useful .htaccess file tweak that forces your website to conform to browser standards.

# Setup browser caching

<IfModule mod_expires.c>

ExpiresActive On

ExpiresByType image/jpg "access 1 year"

ExpiresByType image/jpeg "access 1 year"

ExpiresByType image/gif "access 1 year"

ExpiresByType image/png "access 1 year"

ExpiresByType text/css "access 1 month"

ExpiresByType application/pdf "access 1 month"

ExpiresByType text/x-javascript "access 1 month"

ExpiresByType application/x-shockwave-flash "access 1 month"

ExpiresByType image/x-icon "access 1 year"

ExpiresDefault "access 2 days"

</IfModule>

Those are just five .htaccess file tweaks that can help speed up and secure your WordPress website. There are many out there and I’ll update this as soon as I have tested some more.

In the meantime, if you want a more secure website, contact me here at Coastal Content and I can manage it for you.