Using .htaccess to Add Additional Web Security to Your WordPress Site
Modifying or creating .htaccess files can greatly improve the web security of your WordPress installation. Through this file, we can limit access to files and folders, perform redirects, disable directory browsing, and much more.
In this section, we’re going to focus on Web Security using your .htaccess files to deny access to your wp-config. PHP file, your administration area if you wish, disable directory browsing and lock down the .htaccess file itself.
You edit .htaccess files with a text editor. Often times you will not be able to save the file locally on your machine as .htaccess. If this is the case for you simply save it as htaccess.txt, upload it to your server, and then rename it to .htaccess.
So let’s look at what your .htaccess file probably looks like.
Using an FTP program (FileZilla is free and multi-platform) download your .htaccess file from the root folder of your site and open it in a text editor such as Notepad on Windows or TextWrangler (free) on Mac or Text Editor on Linux. It should look
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Now, when editing this file keep in mind that WordPress accesses this file and can modify anything between the BEGIN WordPress and END WordPress lines, so leave those as is. All of our additions are going to be entered on the lines after the END WordPress line.
DISABLE DIRECTORY BROWSING
To disable directory browsing we will add the following line to the file.
#Prevent Directory Browsing Options All -Indexes
DISABLE ACCESS TO YOUR WP-CONFIG.PHP FILE
To protect your configurations file, add the following to your .htaccess file.
# Prevent Access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>
DISABLE ACCESS TO YOUR .HTACCESS FILES
These files generate an error when trying to be accessed directly anyhow, but it doesn’t hurt to add
another layer of protection. To make sure nobody can access your .htaccess files add the following
to it.
# Prevent Access to .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files>
LIMIT ACCESS TO YOUR ADMIN FOLDER
Before you take this step there are some considerations. If you have a static or fixed IP address then this option will work well. If your IP address changes then you may end up locking yourself out too. Of course, you can always use FTP to remove or change the restrictions. To lock everyone out except the IP listed (change it to yours), create a new .htaccess file in the wp-admin folder and add the following to it.
order deny,allow allow from 192.168.1.1 deny from all
Don’t forget to change the IP address to that of your own. You can find out your IP address by going to Google and simply type what is my IP?
IF YOUR PASSWORD PROTECT THE ADMIN FOLDER, YOU MAY BREAK ACCESS TO ADMINAJAX.PHP
Include the following in your admin .htaccess file to fix this.
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>