Secure Your WordPress Site with .htaccess

The number of hackers and spammers is growing day by day and websites are undoubtedly prone to Security Risks. No matter how strong the websites are, hackers find a loophole to intrude into their websites. Therefore, If your website is not secure, with the different Security Breach Techniques, the hackers use different techniques like SQL injection, Cross-Site Scripting, DDoS Attacks, and many more. Likewise, Some noob hackers only try to hack the site to test their Hacking Ability but still, they can be dangerous in the near future. That’s why Website security is a very must these days. In this article, I am going to write about how to secure your WordPress site using .htaccess.

The very first thing you need to consider is your website must be hosted on a Secure Web Host Server. This is because you can backup your sites even though the hackers intrude by destroying contents and files. Changing your site’s passwords very often is highly recommended too.

Secure Your WordPress Site with .htaccess

1. Protecting .htaccess itself from attacks

.htaccess is the heart of every website which controls the whole website. Moreover, This includes multisite too. Hence, If proper preventive measures are not taken into consideration, the .htaccess file may suffer from different malware attacks, suspicious access, and other strikes. Therefore, the .htaccess file must be protected and prevented from editing and rewriting. Add the following code to secure your .htaccess file.

#limit other from editing .htaccess

<Files .htaccess>

 order allow,deny

 deny from all

 satisfy all

</Files>

2. Disabling Directory Browsing

By default WordPress, and Apache Server enables directory browsing on the site automatically. This means the whole files and directory inside the root folder are easily accessible and visible to visitors. This lets spammers or hackers steal your information.

In recent days, security is a primary necessity in every website and networking server. If you visit high-Alexa ranking websites, most of their directory browsings are disabled.

Code Snippet

# disabling directory browsing

Options All -Indexes

3. Protecting/Preventing wp-config.php to access with .htaccess

wp-config.php is one of the most important core files in WordPress which is located at the root of the WordPress Directory. This file contains the database details, database username and passwords, table prefix, host server names, and many more. Wp-config.php must be strongly secured.

Insert the following code.

# Protecting wp-config file

<Files wp-config.php>

order allow,deny

deny from all

</Files>

4. Restrict wp-admin to selected IP Address to access

Brutal Force Attack is the most powerful hacking technique in dynamic websites like WordPress. If the hackers know your username, then half of their mission is a success. The only thing they need is only to generate the random passwords via Force Attack. The hacker uses different IPs via some kinds of tools so that they are impossible to trace. That’s why IP restriction is necessary to secure your site.

The  Code:

# Restrict logins and admins by IP

<Limit GET POST PUT>

order deny, allow

deny from all

allow from 123.859.789.52

allow from IP_ADDRESS_2

</Limit>

5. Disable/Prevent Image Hotlinks

Hotlinking means downloading or using your website’s image to link to their own website which leads to excess use of your site’s bandwidth. And the amusing part is, that you are don’t credits for it. Hotlinking will slow down the performance of your website because the data is fetched from your bandwidth. Use the following codes in your .htaccess file to eliminate such problems.

The Code:

#disable/prevent image hotlinks

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]

RewriteRule \.(gif|png|jpeg|jpg)$ – [NC,F,L]

Note: Make sure to replace yourdomain.com with your domain name leaving www as it is.

CONCLUSION

It is important that you always take precarious issues under your control. Hence, there are also some plugins available in the WordPress repository for free that secure your WordPress site. 

If you have any queries regarding the contents of the article, feel free to drop down your suggestion in the comment box below. Also, Don’t forget to check our article on the Top 7 popular WordPress plugins in 2022.