Easy WordPress “Hardening” in the .htaccess File

WordPress hardening in the htaccess file hero image

If you’ve been following along with our many WordPress tutorials, your site is likely looking good and easy to use. But now you’ll want to do some security “hardening” to make your site more difficult for hackers to crack. In this article, we’ll show you some neat things you can put in your .htaccess file to make your site more resilient to possible attacks.

As always, editing the .htaccess file can be hazardous. Make sure to back up your site before attempting to make these changes.

WordPress “Hardening”

Adding extra security features to your WordPress site is sometimes known as “hardening”: you’re essentially taking your existing site and adding on some extra armor against hackers. Because WordPress is customizable in this way, each site’s security setup can be slightly different, keeping hackers guessing.

The tips we’re providing here are not required, and you may already have some security measures in place that make these null.

Require IP for Login Page

The wp-login page is a high value target for hackers. If a hacker or bot can guess your username/password combination, they can gain access to the site. However, you can use your .htaccess file to disallow access to this page and allow traffic from a single IP:

ErrorDocument 401 default
ErrorDocument 403 default

<Files wp-login.php>
Order deny,allow
Deny from all
Allow from localhost

Source: WordPress.org

Deny Access to “Sensitive” Files

Your WordPress installation contains several highly sensitive files such as:

  • The Configuration file (wp-config.php)
  • The .htaccess file
  • Error log file
  • And more…

The code below can help protect those files:

<FilesMatch "^.*(error_log|wp-config\.php|php\.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all

Our WordPress VPS hosting packages come with file protection, so you don’t need to worry about this.

Source: Jetpack.com

Require SSL

You’ll want to make sure to take advantage our Free SSL offer if you haven’t install an SSL already. That done, you’ll want to redirect all of your website traffic to the secure URL for your domain. WordPress has provided some code you can put in your .htaccess file to make that happen:

SSLOptions +StrictRequire
SSLRequire %{HTTP_HOST} eq "www.example.com"
ErrorDocument 403 https://www.example.com

Just be sure to replace the information above with your own domain.

Source: WordPress.org

Secure the wp-includes Folder

An additional layer of security can be implemented to restrict access to scripts that are typically not meant for user interaction. This can be achieved by using mod_rewrite to block these scripts in the .htaccess file.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress

Source: WordPress.org

If Anything Should Break

Any time you edit the .htaccess file, problems can occur. Your WordPress site requires a fully functional .htaccess file for various important functions. We recommend adding the code snippets provided here under the standard WordPress .htaccess code.

And, if anything breaks, remove any of your custom code and copy the default .htaccess snippet from WordPress.org.

InMotion Hosting Contributor
InMotion Hosting Contributor Content Writer

InMotion Hosting contributors are highly knowledgeable individuals who create relevant content on new trends and troubleshooting techniques to help you achieve your online goals!

More Articles by InMotion Hosting

2 thoughts on “Easy WordPress “Hardening” in the .htaccess File

  1. Under the heading of “require IP for login page,” I have two IPs because I change locations twice a week. How would I write the code to allow the two IPs? Do I use my public IP or my private IP?

Was this article helpful? Join the conversation!