Lock Down Your Site: Essential .htaccess Security for WordPress

As a WordPress website owner, security should be your top priority to prevent attacks, spam, and data breaches. One effective way to bolster your website’s defenses is by leveraging the power of the .htaccess file. In this article, we’ll explore how to secure your WordPress website using .htaccess configuration.

What is .htaccess?

The .htaccess (Hypertext Access) file is a configuration file used by Apache web servers to control access, security, and other settings for your website. It’s a powerful tool that allows you to customize your website’s behavior without modifying global server configuration files.

Why Secure Your WordPress Website?

WordPress is a popular target for hackers due to its widespread use. A vulnerable website can lead to:

• Data breaches
• Malware infections
• Defacement
• SEO penalties
• Loss of credibility

Securing Your WordPress Website with .htaccess

1. Password Protect wp-admin Directory

Protect your WordPress admin area with a password layer before the login page even loads.

Copy
1# Password protect wp-admin directory
2AuthType Basic
3AuthName "WordPress Admin Access"
4AuthUserFile /path/to/.htpasswd
5Require valid-user
6
7# Start WordPress admin protection
8<FilesMatch "wp-login.php">
9    AuthType Basic
10    AuthName "WordPress Admin Access"
11    AuthUserFile /path/to/.htpasswd
12    Require valid-user
13</FilesMatch>
14NB: Replace /path/to/.htpasswd with the actual absolute path to your .htpasswd file.
15
162. Limit Access to wp-config.php
17Prevent unauthorized access to your website’s most sensitive configuration file.
18
19Apache
20# Protect wp-config.php
21<FilesMatch "wp-config.php">
22    Order deny,allow
23    Deny from all
24</FilesMatch>
253. Disable Directory Browsing
26Prevent users from browsing your website’s folders and seeing your file structure.
27
28Apache
29# Disable directory browsing
30Options -Indexes
314. Block Unauthorized Access to Files
32Block access to sensitive system and log files.
33
34Apache
35# Block access to sensitive files
36<FilesMatch "\.(ini|log|conf|bak|txt)$">
37    Order deny,allow
38    Deny from all
39</FilesMatch>
405. Prevent SQL Injection Attacks
41Block common SQL injection attack patterns within the query string.
42
43Apache
44# Prevent SQL injection attacks
45RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC]
46RewriteRule ^.* - [F,L]
476. Block Malicious User Agents
48Prevent known bad bots and scrapers from accessing your content.
49
50Apache
51# Block malicious user agents
52RewriteCond %{HTTP_USER_AGENT} ^.*(bot|crawl|spider|slurp|archive|yahoo|bing|mj12bot|ahrefsbot|semrush|dotbot|blexbot|baiduspider|yandexbot|sogou|siteexplorer|ia_archiver|linkdexbot|ltx71|wget|curl).* [NC]
53RewriteRule .* - [F,L]
547. Enable SSL/HTTPS
55Force all traffic to use a secure, encrypted connection.
56
57Apache
58# Enable SSL/HTTPS
59RewriteCond %{HTTPS} off
60RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
618. Limit Login Attempts
62Help prevent brute-force attacks by checking the referrer.
63
64Apache
65# Limit login attempts
66<IfModule mod_rewrite.c>
67    RewriteCond %{REQUEST_METHOD} POST
68    RewriteCond %{REQUEST_URI} wp-login\.php
69    RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite\.com [NC]
70    RewriteRule ^ (yourwebsite) [R=301,L]
71</IfModule>
72NB: Replace yourwebsite.com with your actual website URL.
73
749. Protect .htaccess Itself
75Ensure that the security file cannot be read or edited by visitors.
76
77Apache
78# Protect .htaccess itself
79<Files ~ "^\.ht">
80   Require all denied
81</Files>
8210. IP Whitelisting for Admin Area
83Only allow your specific IP address to access the login page.
84
85Apache
86# Protect wp-login with IP whitelist
87<Files wp-login.php>
88    Order Deny,Allow
89    Deny from all
90    Allow from 123.456.789.000 
91</Files>
92NB: Replace 123.456.789.000 with your public IP address.
93
9411. Disable XML-RPC
95The xmlrpc.php file is often exploited in brute force attacks. Disable it if you don't use remote apps.
96
97Apache
98# Disable XML-RPC
99<Files xmlrpc.php>
100    Order Deny,Allow
101    Deny from all
102</Files>
10312. Implement Security Headers
104Add an extra layer of protection against clickjacking and XSS.
105
106Apache
107# HTTP Security Headers
108<IfModule mod_headers.c>
109    Header set X-Frame-Options "SAMEORIGIN"
110    Header set X-XSS-Protection "1; mode=block"
111    Header set X-Content-Type-Options "nosniff"
112    Header set Strict-Transport-Security "max-age=31535000; includeSubDomains; preload"
113</IfModule>
11413. Limit HTTP Request Methods
115Ensure only GET and POST requests are allowed.
116
117Apache
118# Only allow GET and POST requests
119<LimitExcept GET POST>
120    Deny from all
121</LimitExcept>
12214. Prevent PHP Execution in Uploads Folder
123Stop hackers from running malicious scripts uploaded to your media folder. Create a new .htaccess file inside /wp-content/uploads/ and paste:
124
125Apache
126<IfModule mod_rewrite.c>
127    RewriteEngine On
128    RewriteBase /wp-content/uploads/
129    # Block direct access to PHP files
130    RewriteRule ^.*\.php$ - [F,L]
131</IfModule>
132Implementing .htaccess Configuration
133Access: Connect via FTP/SFTP or your Hosting File Manager.
134
135Locate: Find the .htaccess file in your root directory.
136
137Backup: Always download a copy before editing!
138
139Edit: Add the desired configurations and save.
140
141Conclusion
142Securing your WordPress website with .htaccess is an essential step in protecting your online presence. By implementing these server-level rules, you significantly improve your security posture and reduce the risk of common attacks.
143
144Next Step: Once these are implemented, would you like to generate the final MDX for the SSL Certificates post to complete your blog series?