Easy WordPress “Hardening” in the Htaccess File

If you’ve been following along with our many WordPress tutorials, your site is likely looking good and easy to use. But now you’ll want to do some security “hardening” to make your site more difficult for hackers to crack. In this article, we’ll show you some neat things you can put in your .htaccess file to make your site more resilient to possible attacks.

As always, editing the .htaccess file can be hazardous. Make sure to back up your site before attempting to make these changes.

WordPress “Hardening”

Adding extra security features to your WordPress site is sometimes known as “hardening”: you’re essentially taking your existing site and adding on some extra armor against hackers. Because WordPress is customizable in this way, each site’s security setup can be slightly different, keeping hackers guessing.

The tips we’re providing here are not required, and you may already have some security measures in place that make these null.

Require IP for Login Page

The wp-login page is a high value target for hackers. If a hacker or bot can guess your username/password combination, they can gain access to the site. However, you can use your .htaccess file to disallow access to this page and allow traffic from a single IP:

 ErrorDocument 401 default ErrorDocument 403 default  <Files wp-login.php> Order deny,allow Deny from all Allow from 198.101.159.98 localhost </Files> 

Source: WordPress.org

Deny Access to “Sensitive” Files

Your WordPress installation contains several highly sensitive files such as:

  • The Configuration file (wp-config.php)
  • The .htaccess file
  • Error log file
  • And moreā€¦

The code below can help protect those files:

 <FilesMatch "^.*(error_log|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$"> Order deny,allow Deny from all </FilesMatch> 

Our WordPress hosting packages come with file protection, so you don’t need to worry about this. However, our Cloud VPS users may find this snippet valuable.

Source: WordPress.org

Require SSL

You’ll want to make sure to take advantage our Free SSL offer if you haven’t install an SSL already. That done, you’ll want to redirect all of your website traffic to the secure URL for your domain. WordPress has provided some code you can put in your .htaccess file to make that happen:

 SSLOptions +StrictRequire SSLRequireSSL SSLRequire %{HTTP_HOST} eq "www.wordpress.com" ErrorDocument 403 https://www.wordpress.com 

Just be sure to replace the information above with your own domain.

Source: WordPress.org

If Anything Should Break

Any time you edit the .htaccess file, problems can occur. Your WordPress site requires a fully functional .htaccess file for various important functions. We recommend adding the code snippets provided her under the standard WordPress .htaccess code.

And, if anything breaks, remove any of your custom code and copy the default snippet from WordPress.org.

CM
Christopher Maiorana Content Writer II

Christopher Maiorana joined the InMotion community team in 2015 and regularly dispenses tips and tricks in the Support Center, Community Q&A, and the InMotion Hosting Blog.

More Articles by Christopher

Thoughts on “Easy WordPress “Hardening” in the Htaccess File

  • Under the heading of “require IP for login page,” I have two IPs because I change locations twice a week. How would I write the code to allow the two IPs? Do I use my public IP or my private IP?

Was this article helpful? Let us know!