Securing WordPress using your htaccess file
✕
  • About me
  • Blog
CoastaContentllogo
  • Home
  • Human generated content
  • AI generated content
  • Freelance content
  • Contact
✕
  • About me
  • Blog

Securing WordPress using your htaccess file

Securing WordPress using your htaccess file

Securing your website should be a primary concern of any website owner, whether a hobbyist or corporate webmaster. Most unsupervised installations include no security at all leaving them open to hacks and malicious code. While there are many security plugins for the WordPress CMS, there is also huge potential within the platform itself. Namely, the htaccess file.

The .htaccess file is a core file that sits above the CMS and is referenced directly by the web server. It can be used for a multitude of reasons, from speeding up the website to preventing hacks.

To locate your .htaccess file, log into your hosting using FTP or your host’s control panel and check the file structure. Depending on your host, it will either be at the top level of the file structure or inside a directory such as public_html. Take a copy of the original file before making any changes. Then, if anything goes wrong you can quickly revert back to a known working version.

IP blocking with the htaccess file

If you use an IP tracking app and notice an IP address continually trying to log in using your credentials, you can block it using the .htaccess file.

Copy this code onto the end of the file.

<Limit GET POST>

order allow,deny

deny from IP_ADDRESS

allow from all

</Limit>

Add the specific IP address where is says ‘IP_ADDRESS’. You can add multiple addresses, just paste a new line per address.

Disable directory browsing

If your website is hosted on an Apache webserver, it is possible for a browser or bot to browse your directory structure as well as the site itself. This means any hacker can browse your directories and see what is behind the site. You don’t want this as you don’t want people knowing what’s on your web server or what security plugins you might be using.

Copy this code into your .htaccess file

# Disable directory browsing

Options All -Indexes

Restrict access to wp-admin

If you run a WordPress site, you will know that you access the dashboard through your website URL with /wp-admin at the end. Restricting who can access the login page for wp-admin has obvious security benefits, so limiting access to it is a no brainer.

# Limit logins and admin by IP

<Limit GET POST PUT>

order deny,allow

deny from all

allow from IP_ADDRESS

</Limit>

Add the specific IP address you want to allow where it says ‘IP_ADDRESS’.

This is only really effective if you use a static IP and could cause problems if you use a dynamic IP address. Dynamic IP addresses are typical for those on ADSL, 3G, 4G and Wi-Fi hotspots. If you regularly use any of those to manage your site, this may not be for you.

Prevent image linking

If you create images, videos, infographics or other linkable content it might be a good idea to prevent other sites linking to them. There are many scraper websites that will happily promote your images for their own gain. They will use your bandwidth allocation and slow down your site. Prevent it with this code.

# Prevent image hotlinking script.

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)'://(www\.)'yourwebsiteURL.co.uk [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ http://i.imgur.com/MlQAH71.jpg [NC,R,L]

Enable browser caching

While not a security hack, it is an extremely useful .htaccess file tweak that forces your website to conform to browser standards.

# Setup browser caching

<IfModule mod_expires.c>

ExpiresActive On

ExpiresByType image/jpg "access 1 year"

ExpiresByType image/jpeg "access 1 year"

ExpiresByType image/gif "access 1 year"

ExpiresByType image/png "access 1 year"

ExpiresByType text/css "access 1 month"

ExpiresByType application/pdf "access 1 month"

ExpiresByType text/x-javascript "access 1 month"

ExpiresByType application/x-shockwave-flash "access 1 month"

ExpiresByType image/x-icon "access 1 year"

ExpiresDefault "access 2 days"

</IfModule>

Those are just five .htaccess file tweaks that can help speed up and secure your WordPress website. There are many out there and I’ll update this as soon as I have tested some more.

In the meantime, if you want a more secure website, contact me here at Coastal Content and I can manage it for you.

Share

Related posts

How to spot fake reviews online
Jun 24, 2020

How to spot fake reviews online

Read more
New year, new web design!
Jan 28, 2020

How to set up website staging for WordPress

Read more
How to maintain your privacy online
Jul 13, 2016

How to maintain your privacy online

Read more

Leave a Reply

Your email address will not be published. Required fields are marked *

CoastaContentllogo

Monday - Friday: 7:00 AM - 4:00 PM

jamie@coastalcontent.co.uk

Links

  • Home
  • Human generated content
  • AI generated content
  • Freelance content
  • Contact

More links

  • Blog
  • Cookie policy
  • Privacy

© 2025 Coastal Content | All Rights Reserved

This website uses cookies to improve your experience but not to track you or anything you do. We'll assume you're ok with this, but you can opt-out if you wish.Accept Read More
Privacy & Cookie Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT