This guide explains how to improve WordPress security with .htaccess rules. WordPress is a popular CMS, but its popularity makes it a common target for hackers. You can strengthen your WordPress website security by applying simple but effective .htaccess rules. These rules help protect core files, restrict unauthorised access, and reduce common vulnerabilities.
What is the .htaccess File?
The .htaccess file is a powerful Apache configuration file located in your website’s root directory. It allows you to control various aspects of your website, including URL structure, redirections, and security rules.
Important .htaccess Rules for WordPress Security
- Restrict Access to wp-config.php
The wp-config.php file contains your database credentials and other sensitive information.<files wp-config.php> order allow,deny deny from all </files>
- Block Access to .htaccess Itself
Prevent attackers from viewing or editing your .htaccess file.<files .htaccess> order allow,deny deny from all </files>
- Protect wp-includes Directory
The wp-includes directory contains core files that should not be accessed directly.<IfModule mod_rewrite.c> RewriteEngine On RewriteRule ^wp-includes/ - [F,L] </IfModule>
- Disable Directory Browsing
Prevent users from viewing the directory listing of your site.Options -Indexes
- Limit Access to the Admin Area by IP
Allow only specific IP addresses to access the /wp-admin area.<Limit GET POST> order deny,allow deny from all allow from YOUR_IP_ADDRESS </Limit>
Replace YOUR_IP_ADDRESS with your real IP.
- Prevent Image Hotlinking
Block others from using your images on their sites and consuming your bandwidth.RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^https://(www\.)?yourdomain.com/ [NC] RewriteRule \.(jpg|jpeg|png|gif)$ - [F]
Tips:
- Always backup your .htaccess file before making changes.
- Use a staging site to test new rules.
- Combine .htaccess rules with other security measures like firewalls and security plugins.
By using these .htaccess rules, you can add an extra layer of protection to your WordPress site without installing additional plugins.