15 Useful .htaccess Snippets for Your WordPress Site

Having a well-configured .htaccess file is essential if we wish to increase security and reduce vulnerabilities on your WordPress site. Usually, a categorical thought of formulating a custom .htaccess file is to forestall your site from being hacked though it’s also an glorious approach to hoop redirects and conduct cache-related tasks.

Designers Developer’s Guide To .htaccess

Designers Developer’s Guide To .htaccess

Among a many several collection for customizing your web server, a .htaccess config record is a extensive asset.…Read more

.htaccess is a configuration file used on Apache web servers. Most WordPress sites run on an Apache server, nonetheless a tiny apportionment is powered by Nginx. In this article, we can find a collection of .htaccess formula snippets, many of that we can use to secure your website while a rest implements other useful features.

Don’t forget to back adult a .htaccess file before we revise it so that we can always return to a prior version if something goes wrong.

And, if you’re someone who rather not hold pattern files we suggest we a BulletProof Security plugin that is a many arguable (and substantially a oldest) free .htaccess confidence plugin on a market.

Create a default WP .htaccess

.htaccess works on a per-directory basis that means that any office can have a possess .htaccess file. It can simply occur that your WordPress site doesn’t have a .htaccess record yet. If we don’t find a .htaccess record in your base office create an dull calm file and name it to .htaccess.

Below, we can find a default .htaccess WordPress uses. Whenever we need this formula we can fast demeanour it adult in a WordPress Codex. Note that there is a opposite .htaccess for WP Multisite.

# BEGIN WordPress
IfModule mod_rewrite.c
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
/IfModule
# END WordPress

The lines commencement with # are comments. Don’t revise anything between a lines # BEGIN WordPress and # END WordPress. Add your tradition .htaccess manners below these default rules.

All formula snippets we can find in this essay go to a core .htaccess file found in your base directory.

1. Deny entrance to all .htaccess files

The formula subsequent denies access to all .htaccess files we have commissioned in your WordPress. This approach we can forestall people from saying your web server configurations.

# Denies entrance to all .htaccess files
Files ~ "^.*.([Hh][Tt][Aa])"
Order Allow,Deny
Deny from all
Satisfy all
/Files

2. Protect your WP configuration

The wp-config.php record contains all your WP configurations, including your database login and password. You can possibly repudiate it from everybody or give accede to admins to entrance it.

If we select a latter comment out a # Allow from xx.xx.xx.xxx line (remove # from a commencement of a line) and insert a admin’s IP address in place of xx.xx.xx.xxx.

# Protects wp-config
Files wp-config.php
Order Allow,Deny
# Allow from xx.xx.xx.xxx
# Allow from yy.yy.yy.yyy
Deny from all
/Files

3. Prevent XML-RPC DDoS attack

WordPress supports XML-RPC by default, that is an interface that creates remote publishing possible. However, while it’s a good feature, it’s also one of WP’s biggest confidence disadvantage as hackers might exploit it for DDoS attacks.

If we don’t wish to use this underline it’s improved to usually disable it. Just like before, we can add exceptions by commenting out a # Allow from xx.xx.xx.xxx line and adding a IPs of your admin(s).

# Protects XML-RPC, prevents DDoS attack
FilesMatch "^(xmlrpc.php)"
Order Deny,Allow
# Allow from xx.xx.xx.xxx
# Allow from yy.yy.yy.yyy
Deny from all
/FilesMatch

4. Protect your admin area

It’s also a good thought to protect a admin area by giving entrance usually to administrators. Here, don’t forget to add during slightest one “Allow” exception differently we won’t be means to entrance your admin during all.

# Protects admin area by IP
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
LIMIT GET
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xxx
Allow from yy.yy.yy.yyy
/LIMIT

5. Prevent office listing

Most WordPress sites don’t invalidate office listing, that means anyone can browse their folders and files, including media uploads and plugin files. It’s unnecessary to contend that this is a outrageous confidence vulnerability.

Below, we can see how a typical WordPress office inventory looks like.

Directory listingDirectory listing

Luckily, we usually need one line of code to retard this feature. This formula dash will return a 403 blunder message to anyone who wants to entrance your directories.

# Prevents office listing
Options -Indexes

6. Prevent username enumeration

If WP permalinks are enabled, it’s utterly easy to enumerate usernames regulating a author archives. The suggested usernames (including a admin’s username) afterwards can be used in brute force attacks.

Insert a formula subsequent into your .htaccess record to prevent username enumeration.

# Prevents username  enumeration
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

7. Block spammers and bots

Sometimes we might wish to restrict entrance from certain IP addresses. This formula dash provides an easy approach to retard spammers and bots we already know.

# Blocks spammers and bots
Limit GET POST
Order Allow,Deny
Deny from xx.xx.xx.xxx
Deny from yy.yy.yy.yyy
/Limit
Allow from all

8. Prevent picture hotlinking

Although not a confidence threat, image hotlinking is still an irritating thing. People don’t usually use your images though your permission though they even do it during your cost. With these few lines of code, we can strengthen your site from picture hotlinking.

# Prevents picture hotlinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?yourwebsite2.com [NC]
RewriteRule .(jpe?g?|png|gif|ico|pdf|flv|swf|gz)$ - [NC,F,L]

9. Restrict approach entrance to plugin thesis PHP files

It can be dangerous if someone directly calls your plugin and thesis files, either it happens incidentally or by a antagonistic attacker. This formula dash comes from a Acunetix website confidence company; we can review some-more about this disadvantage in their blog post.

# Restricts entrance to PHP files from plugin and thesis directories
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*.php)$ - [R=404,L]

10. Set adult permanent redirects

You can simply handle permanent redirects with .htaccess. First we have to supplement a old URL, afterwards follow a new URL that points to a page we wish to route a user to.

# Permanent redirects
Redirect 301 /oldurl1/ http://yoursite.com/newurl1
Redirect 301 /oldurl2/ http://yoursite.com/newurl2

11. Send visitors to a upkeep page

We wrote about this technique in fact here. You need a separate upkeep page (maintenance.html in a example) for this .htaccess order to work. This formula puts your WordPress site into upkeep mode.

# Redirects to upkeep page
IfModule mod_rewrite.c
RewriteEngine on
RewriteCond %{REMOTE_ADDR} !^123.456.789.000
RewriteCond %{REQUEST_URI} !/maintenance.html$ [NC]
RewriteCond %{REQUEST_URI} !.(jpe?g?|png|gif) [NC]
RewriteRule .* /maintenance.html [R=503,L]
/IfModule

12. Restrict all entrance to WP includes

The /wp-includes/ folder contains a core WordPress files that are required for a CMS to work. There are no content, plugins, themes or anything else a user might wish to entrance here. So to harden confidence it’s best to restrict all entrance to it.

# Blocks all wp-includes folders and files
IfModule mod_rewrite.c
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
/IfModule

13. Block cross-site scripting (XSS)

The following formula dash is from WP Mix and it protects your site opposite some common XSS attacks, namely book injections and attempts to cgange tellurian and ask variables.

# Blocks some XSS attacks
IfModule mod_rewrite.c
RewriteCond %{QUERY_STRING} (|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
/IfModule

14. Enable browser caching

As we mentioned before, .htaccess is not usually good for confidence reasons and redirections though it can also assistance we manage a cache. The formula dash subsequent is from Elegant Themes and it makes browser caching possible by enabling visitors to save certain kinds of files, so subsequent time they revisit they don’t have to download them again.

# Enables browser caching
IfModule mod_expires.c
ExpiresActive On
ExpiresByType image/jpg "access 1 year"
ExpiresByType image/jpeg "access 1 year"
ExpiresByType image/gif "access 1 year"
ExpiresByType image/png "access 1 year"
ExpiresByType text/css "access 1 month"
ExpiresByType application/pdf "access 1 month"
ExpiresByType text/x-javascript "access 1 month"
ExpiresByType application/x-shockwave-flash "access 1 month"
ExpiresByType image/x-icon "access 1 year"
ExpiresDefault "access 2 days"
/IfModule

15. Set adult tradition blunder pages

You can use .htaccess to set adult tradition blunder pages on your WordPress site. For this process to work, we also need to create a tradition blunder pages (custom-403.html, custom-404.html in a example) and upload them to your base folder.

You can set adult a tradition blunder page for any HTTP blunder standing code (4XX and 5XX standing codes) we want.

# Sets adult tradition blunder pages
ErrorDocument 403 /custom-403.html
ErrorDocument 404 /custom-404.html

How To Put WordPress Site Into Maintenance Mode

How To Put WordPress Site Into Maintenance Mode

Sometimes, we might have a need to put your website into upkeep mode for upgrades. This would make…Read more

Add Comment