Secure your WordPress site with an htaccess file

Ok, so you have your Wodpress blog and security plugins all humming away quite nicely but you’re leaving out one last important file, your .htaccess file. This little beauty is responsible granting permissions to write content to your servers database. So using it to its full potential is good way of keeping your WordPress blog (or any other server driven site, for that matter), secure from spammers and opportunist hackers.

Now, there are plugins you’ll be using that are plenty good enough at protecting your site like Askimet or WP Security Scan and thats fine, but beefing up your .htaccess file will dam near bulletproof your site and aid traffic more efficiently, so that can’t be bad!?

How to use the code

WordPress automatically creates an .htaccess file in your root directory when it needs to carry a custom permalink structure, however if for some reason you’re not customising your post URLs then you can add a blank .htaccess file and configure it yourself. You can do this with your current FTP software (if you now how to create a new file), Dreamwever, Notepad, Textedit, Coda…

Create a new file and call it .htaccess

Next drop in the code below chunck by chunk and TEST your site in all verables, like comments, the 404 page, ect, ect… Depending on the theme you’re using and the plugins you’ve installed there might be some compatibility issues, however you’re only going to find out if you test the dammed thing and then test it again.

Again my advice is to try one chunk of code at a time, refresh your site and if it breaks, remove the last chunk of code and move on to the next.

Protect the htaccess file

Whatever happens, you’ll always want to protect the very file you’re using to protect all the other files… makes sense huh, so drop this in there!

# BEGIN Protect the htaccess file
	<files .htaccess>
	order allow,deny
	deny from all
# END Protect the htaccess file

Disable the server signature

Server signatures contain valuable information about installed software on your server and can be read (and exploited) by worms and hackers. Using this will hide that information from prying eyes. However, if you’re operating the site yourself via the server, there are other (much better) ways of protecting your server components, consider using the html5-boilerplate htaccess together with your own home grown configurations.

Do not turn off your ServerSignature (i.e., the Server: HTTP header). Serious attackers can use other kinds of fingerprinting methods to figure out the actual server and components running behind a port. Instead, as a site owner, you should keep track of what’s listening on ports on hosts that you control. Run a periodic scanner to make sure nothing suspicious is running on a host you control, and use the ServerSignature to determine if this is the web server and version that you expect.

html5-boilerplate / doc /

# BEGIN Disable the server signature
	ServerSignature Off
# END Disable the server signature

Limit file uploads to 50mb

OK, so not one that’ll protect your site but a real handy one. using this will increase or limit the Media File Upload to 50MB for those large video files or heavy pdfs’, just drop this into your .htaccess file to get the most from your WP site. If you’re a purist about code and use the conversion of bytes to megabytes or whatever, you can make the conversion here, bit calculator.

# BEGIN Upload Limiter
	php_value upload_max_filesize 50M
	php_value post_max_size 50M
	php_value max_execution_time 500
	php_value max_input_time 500
# END Upload Limiter

Protect your wp-config.php file

This chunk of code is an absolute must, it protects your wp-config.php file from being viewed by unwanted eyes.

# BEGIN Protect wpconfig.php
	<files wp-config.php>
	order allow,deny
	deny from all
# END Protect wpconfig.php

Limit access to your wp-admin (login)

A very handy bit of code if you’re always blogging from a static IP address, insert this code and change ‘’ to your IP address, and only you will be able to access your blog. Not good if you like to post your latest thoughts from Starbucks!

# BEGIN Who has access who doesnt
	order allow,deny
	#deny from
	allow from all
# END Who has access who doesnt

Custom error documents

Personalise your error docs and specify the url where they’re held, you can add more error documents as you see fit.

# BEGIN Custom error docs
	ErrorDocument 404 /error-docs/notfound.php
	ErrorDocument 403 /error-docs/forbidden.php
	ErrorDocument 500 /error-docs/error.php
# END Custom error docs

Disable Hotlinking of images with a custom warning image

If you’re one of those people who just hate it when someone uses your bandwidth to hijack your image urls to use on their own site, then this is the code for you. Add this to your .htaccess file, create a warning message ‘get-your-own.jpg’ and upload it to the fist level of your sites root folder.

# BEGIN Disable hotlinking of images with warning message
	RewriteEngine on
	RewriteCond %{HTTP_REFERER} !^$
	RewriteCond %{HTTP_REFERER} !^http://(www\.)?*$ [NC]
	#RewriteRule \.(gif|jpg)$ – [F]
	#RewriteRule \.(gif|jpg)$ [R,L]
# END Disable hotlinking of images with warning message

Stop those spam comments

This is really handy however use it wisely, as it could prevent some plugins from working correctly, my advice Test, Test and Test again!

# BEGIN Protect from spam comments
	RewriteEngine On
	RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
	RewriteCond %{HTTP_REFERER} !.** [OR]
	RewriteCond %{HTTP_USER_AGENT} ^$
	RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
# END Protect from spam comments

Lastly If you are already using a custom permalink structure to format page names, you’ll need to keep that code in the htaccess file in order for that to continue working.