The .htaccess file is a configuration file that helps us to control files and folders in the current directory, and all other sub-directories. The filename .htaccess stands for hypertext access and is supported by most servers.
Many WordPress users make use of .htaccess file when they customize their website’s permalink settings. However we can do so much more. The .htaccess file is a powerful configuration file that allows us to enhance our site’s security and performance. In this article, we will show 9 most powerful .htaccess tricks for WordPress that we can try on our site right away.
Before we start making any change, we need to backup our current .htaccess file) in a cloud storage service like Dropbox or Connect to your website using an FTP client and simply download the .htaccess file to your computer. So that, if something goes wrong, then we can upload the backup file.
If you are not able to access .htaccess file, then make sure your FTP client is set to show hidden files. If you do not have an .htaccess file in your website’s root folder, then you have to create one. Simply create a blank text file and save it as .htaccess. Make sure to name file as .htaccess and not htaccess. Lastly, you need to upload the file to your website’s root folder.
1. Secure Your WordPress Admin Area
The wp-admin folder contains the files required to run the WordPress dashboard. In most cases, your users don’t need access to the WordPress dashboard, unless they want to register an account. A powerful security measure is to enable only a few selected IP addresses to access the wp-admin folder. You can use .htaccess to secure your WordPress admin area by limiting the access to selected IP addresses only. Simply copy and paste following code into your .htaccess file:
# Limit logins and admin by IP
<Limit GET POST PUT>
order deny,allow
deny from all
allow from x.xx.xx.xx
allow from IP_ADDRESS_2
</Limit>
Replace x.xx.xx.xx with your own IP addresses. If you are using more than one IP address to access the internet, then make sure you add them as well.
2. Protect Your WordPress Configuration wp-config.php File from everyone
Probably the most sensitive file in your WordPress website’s root directory is wp-config.php file, which contains the database name and access credentials and various other critical data and how to connect to it. And of course, you want to disable public access to the source of all this security – the .htaccess file itself. To protect your wp-config.php file from unathorized access, simply add this code to your .htaccess file:
# Deny access to wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>
3. Deny Image Hotlinking in WordPress Using .htaccess
When someone uses your site’s image, they can steal you bandwidth by hotlinking images from your website and most of the time, you’re not even credited for it. Normally, this doesn’t concern form most users. But, if you run a popular site with lot of images and photos, then hotlinking can become a major issue. You can stop image hotlinking by adding following code in your .htaccess file:
#disable hotlinking of images in WordPress
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?website.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www.)?otherwebsite.com [NC]
RewriteRule .(jpg|jpeg|png|gif)$ [NC,R,L]
4. Disable Directory Browsing in WordPress
By default, the Apache web server enables directory browsing. That means all files and folders inside the root of the web server are enlist able and accessible by a visitor. With directory browsing enabled, hackers can get into your site’s directory and file structure to find a vulnerable file.
To disable directory browsing in WordPress using .htaccess all you need to do is add this single line in your .htaccess file:
# Disable directory browsing in WordPress
Options All –Indexes
5. Allow Only Selected Files from wp-content
As you know the wp-content folder contains the all your themes, plugins and media upload. You defiantly don’t want people to access it without restrictions. In addition to denying directory browsing, you can also disable access of all file types, save a few. On the basis of this, you can selectively unblock files like JPG, DOCX, PDF, CSS, JS, etc. and deny from the rest. To do this, paste following code in your .htaccess file:
# Disable access to all file types except the following
Order deny,allow
Deny from all
<Files ~ “.(xml|css|js|jpe?g|png|pdf|gif|docx|rtf|odf|zip|rar)$”>
Allow from all
</Files>
6. Disable PHP Execution in Some WordPress Directories
Hacked WordPress sites usually have backdoor files sometimes. These backdoor files are often disguised as core WordPress files and are present in /wp-includes/ or /wp-content/uploads/ folders. An simple way to increase your WordPress security is by denying PHP execution for some WordPress directories. To do this, paste following code in a blank .htaccess file:
# Deny PHP Execution to all file
deny from all
</Files>
7. Protect .htaccess From Unauthorized Access
As you have seen that there are a lot of things that can be done using .htaccess file. Due to the power and control it has on your web server, it is necessary that you also protect it from unauthorized access by hackers. To do this, paste following code in a blank .htaccess file:
# Protect .htaccess From Unauthorized Access
<files ~ “^.*.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>
We can, still edit the file ourselves using FTP and through file manager of our hosting control panel.
Nice articel about htaccess Tips and Tricks for WordPress , This article help me very well. Thank you. Also please check my article on my site Know All About Htaccess Tutorial. In link article we will learn about htaccess File.
ReplyDelete