The .htaccess file is a configuration file that allows you to control files and folders in the current directory, and all sub-directories. The filename is a shortened name for hypertext access and is supported by most servers.
For many WordPress users, their first meeting with the .htaccess file is when they customize their website’s permalink settings. To get those pretty permalinks that we all know and love (e.g. http://www.elegantthemes.com/sample-post/ instead of http://www.elegantthemes.com/?p=123), we need to add something like this to the .htaccess file:
You also need to ensure your .htaccess file is writeable so that WordPress can add the appropriate permalink code to your .htaccess file. WordPress.org advises file permissions of 644 for the .htaccess file.
The .htaccess file is not only used for permalinks. The file is better known for its ability to strengthen the security of a website. Millions of WordPress users use the .htaccess file to protect their websites from spammers, hackers, and other known threats.
In this article, I would like to share with you several snippets for .htaccess that will make your website secure. I have also included a few additional snippets that I believe you will find useful.
You may have noticed in my permalink example above that the code begins with # BEGIN WordPress and ends with # END WordPress. WordPress can update any code that is placed within those tags. You should therefore add the snippets shown in this article at the top or bottom of your .htaccess file (i.e. before # BEGIN WordPress or after # END WordPress).
Be CarefulThe .htaccess file is one of the most temperamental files you will encounter when using WordPress. It only takes one character to be out of place for the code to be incorrect. When that happens, it will usually cause your whole website to go down. It is therefore vital that you copy the code noted in this article correctly to your own .htaccess file.
Even if you are cautious, accidents can happen, and they frequently do.
Do not cut any corners when working with the .htaccess file. Before you begin, make a backup of your current working version of .htaccess. Store it in a safe place on your computer, and if possible, in another location such as a USB flash drive or on cloud storage.
Whenever you update your .htaccess file on your server, refresh your website to see if your website is still live. Do not skip this step as it is vital that you verify your website is still working correctly. If your website returns a blank screen, immediately revert back to your saved copy of .htaccess by uploading it over the version with errors.
If you cannot locate your backup file, either upload a blank .htaccess file or delete the .htaccess file altogether. This will get your website back online; which will obviously be your priority when your website goes offline.
Do not take any chances with .htaccess. Always have a back up. You have been warned
1. Protect .htaccessDue to how much control .htaccess has over your whole website, it is important to protect the file from unauthorised users. The following snippet will stop hackers from accessing your .htaccess file. You can, of course, still edit the file yourself via FTP and through your hosting control panel’s file manager.
2. Protect WP-Config.phpAnother important file is wp-config.php. This configuration file contains the login information for your WordPress database as well as other important maintenance settings. It is therefore advisable to disable access to it.
3. Protect /Wp-Content/The wp-content directory is one of the most important areas of your WordPress website. It is where vital files are located such as your themes, plugins, uploaded media (images and videos), and cached files.
Due to this, it is one of the main targets of hackers. When a spammer managed to compromise an old website of mine last year, he did it by uploading a mail script to my uploads folder. He then proceeded to send out spam mail using my server; which subsequently placed my server on spam blacklists.
You can tackle threats like this by creating a separate .htaccess file and adding the following code to it:
4. Block Include-Only FilesThere are certain files that never have to be accessed by the user. You can block access to these files by adding the following code to your .htaccess file:
5. Restrict Access to the Admin AreaAnother entry point for hackers is the WordPress admin area. If they gain access to this area, they can do almost anything to your website.
To make this area more secure, create a new .htaccess file and add the code below to it:
This will allow you to access your WordPress admin area, but will block everyone else.
Additional IP addresses can be added for other administrators and staff. You can do this by adding additional allow lines or listing their IP addresses in the main allow line and separating them using commas. For example:
6. Ban Someone From Your WebsiteIf you know the IP address of a malicious party, you can completely ban them from your website using the snippet below. For example, you could ban someone who always leaves abusive comments or someone who has attempted to access your admin area.
7. Send Visitors to a Maintenance PageMaintenance plugins such as Ultimate Maintenance Mode and Maintenance are useful for displaying a temporary message to visitors when you are developing a website, or when working in the background to update your website.
Unfortunately, maintenance plugins are of little help if you face the infamous WordPress White Screen of Death. They only function correctly if your website is working correctly.
If you want to prepare for the worst, I recommend creating a basic HTML page named maintenance.html that advises visitors that you are currently experiencing problems with your website, but will be back online soon. When your website does go down because of a hacking attempt or because of the White Screen of Death, simply add the snippet below to your .htaccess file to direct all traffic to your message at maintenance.html.
8. Disable Directory BrowsingAllowing unauthorised individuals to look at your files and folders can be a major security risk. To disable browsing of your directories, simply add this small piece of code to your .htaccess file:
9. Enable Browser CachingBrowser Caching is something I recently discussed in my article “Optimize Your WordPress Website Using These Simple Tips“. Once enabled, browser caching will allow visitors to save items from your web page so that they do not need to be downloaded again.
It is used for design elements such as CSS stylesheets and media items such as images. It is a practical solution as when someone uploads an image to a website, the image is rarely updated again. Browser caching would therefore allow visitors to load the image saved on their computer rather than your server. This reduces bandwidth and increases page loading times.
To enabling browsing caching, all you need to do is add this code to your .htaccess file:
10. Redirect a URL301 redirects allow you to inform search engines that a URL has permanently moved to a new location. They can be used to redirect a page, folder, or even a completely new website.
They are therefore used whenever the URL of a page changes. This can be due to changing a domain, changing the permalink structure of your website, or simply changing the page slug (e.g. changing the page slug of an article from my-news to mygreatnews).
To redirect a location, all you need to do is add a line with Redirect 301, followed by the old location and then the new location. You can see how this works in practice below:
11. Disable HotlinkingHotlinking is a practice in which someone shares an image from your website by linking directly to the image URL. It commonly occurs on discussion forums, but many website owners still do it too (which is a mistake as it means images can be removed from your content at any time). Hotlinking can have a negative effect on your website. In addition to slowing your website down, it can also significantly increase your bandwidth costs with your hosting company.
You can prevent hotlinking by only allowing your own website, and any others you own, to execute image files. Add the code below to your .htaccess file to stop others from hotlinking your images. Be sure to replace the URL’s below with your own website addresses.
* Note that disabling hotlinking may cause some RSS readers to have problems displaying your images from your RSS feed.
I hope you have enjoyed this list of tips and tricks for the .htaccess file. As you can see, it is a versatile configuration file that can be used for many things.
If you enjoyed this article, I encourage you to subscribe to the Elegant Themes Blog.
By Kevin Muldoon (E.T.)