If you’ve been following along with our many WordPress tutorials, your site is likely looking good and easy to use. But now you’ll want to do some security “hardening” to make your site more difficult for hackers to crack. In this article, we’ll show you some neat things you can put in your .htaccess file to make your site more resilient to possible attacks.
As always, editing the .htaccess file can be hazardous. Make sure to back up your site before attempting to make these changes.
WordPress “Hardening”
Adding extra security features to your WordPress site is sometimes known as “hardening”: you’re essentially taking your existing site and adding on some extra armor against hackers. Because WordPress is customizable in this way, each site’s security setup can be slightly different, keeping hackers guessing.
The tips we’re providing here are not required, and you may already have some security measures in place that make these null.
Require IP for Login Page
The wp-login page is a high value target for hackers. If a hacker or bot can guess your username/password combination, they can gain access to the site. However, you can use your .htaccess file to disallow access to this page and allow traffic from a single IP:
ErrorDocument 401 default
ErrorDocument 403 default
<Files wp-login.php>
Order deny,allow
Deny from all
Allow from 192.0.2.1 localhost
</Files>Source: WordPress.org
Deny Access to “Sensitive” Files
Your WordPress installation contains several highly sensitive files such as:
- The Configuration file (wp-config.php)
- The .htaccess file
- Error log file
- And more…
The code below can help protect those files:
<FilesMatch "^.*(error_log|wp-config\.php|php\.ini|\.[hH][tT][aApP].*)$">
Order deny,allow
Deny from all
</FilesMatch>Our WordPress VPS hosting packages come with file protection, so you don’t need to worry about this.
Source: Jetpack.com
Require SSL
You’ll want to make sure to take advantage our Free SSL offer if you haven’t install an SSL already. That done, you’ll want to redirect all of your website traffic to the secure URL for your domain. WordPress has provided some code you can put in your .htaccess file to make that happen:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.example.com"
ErrorDocument 403 https://www.example.comJust be sure to replace the information above with your own domain.
Source: WordPress.org
Secure the wp-includes Folder
An additional layer of security can be implemented to restrict access to scripts that are typically not meant for user interaction. This can be achieved by using mod_rewrite to block these scripts in the .htaccess file.
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPressSource: WordPress.org
If Anything Should Break
Any time you edit the .htaccess file, problems can occur. Your WordPress site requires a fully functional .htaccess file for various important functions. We recommend adding the code snippets provided here under the standard WordPress .htaccess code.
And, if anything breaks, remove any of your custom code and copy the default .htaccess snippet from WordPress.org.
Under the heading of “require IP for login page,” I have two IPs because I change locations twice a week. How would I write the code to allow the two IPs? Do I use my public IP or my private IP?
Hello and thanks for contacting us. You can type another line stating “Allow from [IP]”.