Protect wordpress site with .htaccess

WordPress is the world’s most popular CMS with million users. This is how to secure your WordPress site with .htaccess.

Configuring the .htaccess file

# BEGIN WordPress

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress

Protect wp-config.php

<Files wp-config.php>
order allow,deny
deny from all
</Files>

Admin access from your IP only

order deny,allow
allow from 202.090.21.1 (replace with your IP address)
deny from all

Banning bad users

<Limit GET POST>
order allow,deny
deny from 202.090.21.1
allow from all
</Limit>

No directory browsing

Options All -Indexes

Prevent Access To wp-content

The wp-content folder contains images, themes and plug-ins. It’s a very important folder within your WordPress install, so it makes sense to prevent outsiders accessing it.

This requires it’s very own .htaccess file. This file must be added to the wp-content folde. It allows users to see images, CSS etc … but protects the important PHP files:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>

Protect .htaccess

<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files

Leave a Reply

Your email address will not be published. Required fields are marked *

20 − 9 =