Published by on 11 June 2019 • 0 Comments

Did you know that 100% of WordPress sites have a.htaccess configuration file?

Indeed, WordPress automatically creates it during installation to include the permalink settings of your website.

When you go to Settings > Permalinks to choose your permalink settings (usually Post Name), the .htaccess file is modified.

Nevertheless, it should be noticed that this file can play a much more important role.

The .htaccess file is a configuration file that WordPress uses for Apache web servers, the software your server uses to run.

The contents of this file will give instructions to Apache to make the server behave in a certain way.

Thanks to the .htaccess file, you will be able to:

  • Improve your site security
  • Increase the load speed
  • Set up redirects
  • Limit spam
  • And even make little jokes 🙂

Interested, are you?

So keep reading, you won’t be disappointed! Here is the program:

Before you start

Before sticking to the point, we will take a look at the the basics. It will help you, especially if you are a beginner.

How does the .htaccess files work in WordPress?

The last information you need to know is that a site may have several.htaccess files.

First of all, there is the main.htaccess file which is located at the root of the site. The root of a site is where WordPress files are located (wp-admin, wp-includes and wp-content folders plus a few other files).

The content of the main.htaccess file will have an influence on the whole site.

Other.htaccess files can be created in subdirectories. In WordPress’ case, one can be placed in the wp-admin or wp-content/uploads directory for example.

Secondary.htaccess files will influence the directories in which they are located as well as their subdirectories.

If we imagine that there is a.htaccess file in wp-content/uploads, the uploads directory and all its subdirectories will be impacted by what will be defined in the.htaccess file.

Be cautious!

Attention aux yeux, ça peut piquer

Customizing the code of an.htaccess file is quite simple (especially with the snippets I’ll give you later in this article ;-)) but you shouldn’t go ahead holus-bolus!

Before any change, save the initial content of your.htaccess file. To do this, you can:

  • Duplicate the.htaccess file on your server into an initial.htaccess-file
  • Copy the contents of the file to a text file on your computer

If a problem occurs, you can easily restore the original content.

To make changes, follow the following procedure:

  • Open the file in your code editor
  • Add your inclusions in the file
  • Save it all
  • Update your site to see if everything is going well

Updating your site is very important because you need to be sure that the added code is not a problem.

In general, an “Internal Server Error” will be displayed on the screen if something goes wrong:

Internal Server Error

In this case, cancel your changes and save again. Everything should be fine.

Sometimes, it happens that some hosting providers do not accept this or that code in the.htaccess file….

You have to deal with it.

Contact your hosting provider’s support for more information. Hopefully, only a slight modification is needed to make it work.

How to create a .htaccess file in WordPress?

Logically, your site should have at least one.htaccess file: the one located in the root directory of your site. You can change it using your code editor.

There are other solutions like the WP Htaccess Editor plugin to modify it directly from WordPress. But in case of an issue, you will have to go through FTP and your code editor, so you might as well do it directly.

If you need to add a.htaccess file to a subdirectory, follow these instructions:

Create a.htaccess file from your computer:

  • Create a new text file and name it htaccess.txt
  • Edit it as you wish
  • Send it to the root of your server
  • Rename it to.htaccess

Create an.htaccess file directly from your server:

  • Right-click in the directory where it should be located
  • Add a new file and name it.htaccess
  • Edit it with your code editor (Notepad+++, Coda, SublimeText or the one that suits you best).

Comments in.htaccess

As in all computer languages, the.htaccess file allows you to include comments.

In our case, just add the # symbol at the beginning of the line and it will be ignored. This is very useful to remember what lines of code do.

You will have the opportunity to see comments in the examples in this article.

So let’s dive right in with the….

.htaccess file located in the root directory of your site

If your installation is OK, you will find an.htaccess file in the root directory of your site. It will contain the following code:

pastacode lang=”apacheconf” message=”Default code of the WordPress.htaccess file” highlight=”” provider=”manual” manual=”%23%20BEGIN%20WordPress%0A%0ARewriteEngine%20On%0ARewriteBase%20%2F%0ARewriteRule%20%5Eindex%5C.php%24%20-%20-%20%5BL%5D%0ARewriteCond%20%25%7BREQUEST_FILENAME%7D%20!-f%0ARewriteCond%20%25%7BREQUEST_FILENAME%7D%20!-d%0ARewriteRule%20.%20%2Findex.php%20%5BL%5D%0A%0A%23%20WordPress”/]

If you use WordPress in multi-site mode, the default code of the.htaccess file will be different. This will not apply to you in most cases.

Now that you have located this file, you will be able to enrich its content with the snippets below, to get specific things. This may concern safety, but not only.

Be careful not to include any code between the comments # BEGIN WordPress and # END WordPress as it is possible that this code may be modified in some cases.

Cocorico_message type=”alert”
]Warning: Backup your original.htaccess file before making any changes. You must be able to go back in case of a problem!
[/cocorico_message]

Disable directory browsing

By default, if you try to access the directories of a site, the server will display them. The formatting will look like this:

Fichiers et répertoires visibles de WordPress

Too easy for potential hackers, ain’t it? The fact that they can see the files on your site will help them attack it easily. Insert the following code in your.htaccess file to protect your site:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20D%C3%A9sactivate%20the display%20of%20contents%20of%20r%C3%A9directories%0AOptions%20All%20-Indexes”/]

It’s also possible to use this code to prevent directories from being listed:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Alternative%20pour%20emp%C3%AAcher%20le%20listing%20des%20r%C3%A9directories%0AIndexIgnore%20*”/]

Hide server information

For some hosting providers, the pages displayed may contain information about the server. This information can give information to potential hackers.

It’s therefore better to hide them with the following code:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Mask%20the%20information%20of%20server%0AServerSignature%20Off”/]

Enable symbolic link tracking

It’s maybe all Chinese to you but it is important to insert this line of code in your main.htaccess file.

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Activation%20du%20suivi%20des%20liens%20symboliques%0AOptions%20%2BFollowSymLinks”/]

Thanks to this, your server will be able to follow what are called symbolic links, i.e. shortcuts.

Set your server to the right time

This is not really important but if your server is located abroad, you can tell it to set itself to your time zone with this line of code:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Choix%20du%20fuseau%20horaire%0ASetEnv%20TZ%20Europe%2FParis”/]

Define the default character encoding

The following code is used to define the character encoding of text and HTML files as UTF-8.

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Encoding%20by%20d%C3%A9faut%20des%20fichiers%20textes%20et%20HTML%0AAddDefaultCharset%20UTF-8″/]

Protect the wp-config.php file

The configuration file of your site (wp-config.php) contains the credentials to connect to the database. This is the most sensitive file on your site. It will clearly be the target of potential hackers. You can protect it by adding this code to the main.htaccess file:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Prot%C3%A9ger%20le%20fichier%20wp-config.php%0A%3Cfiles%20wp-config.php%3E%0Aorder%20allow%2Cdeny%0Adeny%20from%20all%0A%3C%2Ffiles%3E” /]

Protect the .htaccess file itself

Just like the wp-config.php file, the.htaccess file must be protected to the maximum. To do this, insert this code:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Prot%C3%A9ger%20les%20fichiers%20.htaccess%20et%20.htpasswds%0A%3CFiles%20~%20~%20%22%5E.*%5C.(%5BHh%5D%5D%5BTt%5D%5D%5BAaPaP%5D)%22%3E%0Aorder%20allow%2Cdeny%0Adeny%20from%20all%0Asatisfaction%20all%0A%3C%2FFiles%3E”/]

Restrict spam comments

If you have a blog, you know this as well as I do: spam comments is a real pain.

Fortunately, there is a trick to protect yourself directly in the.htaccess file. This is not a miracle solution, but combined with the Akismet plugin, the majority of spam comments should be filtered.

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20%20%C3%89viter%20le%20spam%20de%20commentaires%0A%3CIfModule%20mod_rewrite.c%3E%0ARewriteCond%20%25%7BREQUEST_METHOD%7D%20POST%0arewriteCond%20%25%7BREQUEST_URI%7D%20.wp-comments-post%5C.php*%0ARewriteCond%20%25%7BHTTP_REFERER%7D%20!.monsite.com.*%20%5BOR%5D%0ARewriteCond%20%25%7BHTTP_USER_AGENT%7D%20%5E%24%0ARewriteRule%20(.*)%20%5Ehttp%3A%3A%2F%2F%2F%25%7BREMOTE_ADDR%7D%2F%24%20%5BR%3D3D301%2CL%5D%0A%3C%2FIfModule%3E”/]

Don’t forget to change mywebsite.com to your domain name.

Avoid the discovery of an author’s ID

Even if you use a complex user ID, it can still be discovered.

Of course, I guess you don’t already display it publicly with your theme (it can happen) 😉

Try typing monsite.com/?author=x by replacing x with 1 for the administrator or ID of one of your authors. If you are not protected, you will be redirected to a page such as monsite.com/author/idenfiant_auteur.

That’s how you find an ID in two seconds. From there, all you have to do is guess your password.

To protect yourself from this technique, use the following code:

# Éviter que l'on décover l'identifiant d'un auteur
# Merci à Jean-Michel Silone of Group Facebook WP-Secure https://www.facebook.com/groups/wp.security/
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* - [F
</IfModule>

Thanks to Jean-Michel from the Facebook WP-Secure group for the tip 🙂

Disable image hotlinking

Once you have added images to your site (for example, in a post), anyone can copy the URL of one of your images and display it on his website.

We could say that this is not so serious but if for some reason a very popular site grabs your image and displays it on one of its pages, requests will be made on your server.

Hotlinking can slow down your website and exceed your bandwidth limit. If your website is installed on a small shared server, your host may not like it because resources are limited.

To avoid the problem, insert and customize this code in your.htaccess file:

pastacode lang=”apacheconf” message=”Replace monsite.com with your domain name” highlight=”” provider=”manual” manual=”%23%20D%C3%A9sactivate%20le%20hotlinking%20de%20vos%20images%0ARewriteEngine%20On%0ARewriteCond%20%25%7BHTTP_REFERER%7D%20!%5E%24%0ARewriteCond%20%25%7BHTTP_REFERER%7D%20!%5Ehttp(s)%3F%3A%3A%2F%2F(www%5C.)%3Fmonsite.com%20%5BNC%5D%0ARewriteRule%20%5C.(jpg%7Cjpeg%7Cpng%7Cpng%7Cgif)%24%20http%3A%2F%2F%2F%2Ffakeimg.pl%2F400x200%2F%3Ftext%3DPas_images%20%5BNC%2CR%2CL%5D”/]

To allow some sites to display your images, use the following code:

Replace monsite.com, monsite2.com and monsite3.com by the domains of your choice

You can also customize the image that will be displayed instead of the requested image. I added something simple but you can be cheekier 😉

Ban IP addresses

If you have noticed some IPs trying to connect a little too often to your site administration (for example with Login Lockdown plugin), you can get rid of them by blocking their IP address.

You also have the possibility to retrieve the IP addresses of spam commenters, to ban them from your site.

This solution is not definitive, because your attacker may change his IP address. But it may work for the least talented people.

pastacode lang=”apacheconf” message=”Replace xxx.xxx.xxx.xxx.xxx by the IP address to be banned” highlight=””” provider=”manual” manual=”%23%20Bannir%20une%20address%20IP%0A%3CLimit%20GET%20POST%3E%0Aorder%20allow%2Cdeny%0Adeny%20from%20xxx.xxx.xxx.xxx.xxx%0Aallow%20from%20all%0A%3C%2FLimit%3E”/]

Block visitors from certain sites

If you realize that a non-compliant site links to you and you do not want visitors to this site to access your site, use this code:

pastacode lang=”apacheconf” message=”Replace monsite1.com and monsite2.com with the sites of your choice” highlight=”” provider=”manual” manual=”%23%20Emp%C3%AAcher%20les%20visiteurs%20de%20ces%20sites%20d’accès%C3%A9der%20au%20votre%0A%3CIfModule%20mod_rewrite.c%3E%0A%20RewriteEngine%20on%0A%20RewriteCond%20%25%7BHTTP_REFER%7D%20monsite1.com%20%5BNC%2COR%5D%0A%20RewriteCond%20%25%7BHTTP_REFERER%7D%20monsite2.com%20%5BNC%2COR%5D%0A%20RewriteRule%20.*%20-%20%5BF%5D%0A%3C%2FifModule%3E”/]

Redirect visitors from one site to another

To go further than the previous tip, you can refer visitors from some sites to another site.

I might as well tell you that you could have a lot of fun doing that. Here is the code to use:

pastacode lang=”apacheconf” message=”Replace the source and destination sites with those of your choice” highlight=””” provider=”manual” manual=”%23%20Redireiger%20les%20visitors%20venant%20site%20vers%20un%20other%0ARewriteEngine%20on%0ARewriteCond%20%25%7BHTTP_REFER%7D%20sitesource%5C.com%2F%0ARewriteRule%20%5E(.*)%24%20http%3A%2F%2F%2Fwww.sitedestination.com%20%5BR%3D301%2CL%5D”/]

Set up redirects

The.htaccess file allows you to do redirects. This is very useful to redirect a few pages . But if you want to create a lot of redirects, I recommend the Redirection plugin.

Here is how to create redirects in the.htaccess file:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Redirection%20d’une%20page%20quel%0ARedirect%20301%20%2Fanciennepage%2F%20http%3A%2F%2Fwww.monsite.com%2Fnouvellepage%0A%0A%0A%23%20Redirection%20of a%20new%20cat%C3%A9gorie%20(with%20rename%20of%20category%20en%20category)%0ARedirect%20301%20%2Fcategory%2Ftechnology%2F%20http%3A%2F%2F%2Fwww.monsite.com%2Fcategorie%2Ftechno%2F”/]

Redirect the address without www to www

When setting up a site, one of the priority actions to be taken is to redirect the site without www to the version with www (or vice versa).

If you do the test the next time you create a site, you will find that the two addresses do not necessarily refer to your site.

In some cases, your host automatically takes care of it, or it must be activated via the host’s administration.

If you need to do this manually, use the following code by replacing mywebsite.com with your website URL:

pastacode lang=”apacheconf” message=”Replace monsite.com with your domain name” highlight=””” provider=”manual” manual=”%23%20Redirection%20du%20site%20sans%20www%20vers%20www%0ARewriteEngine%20On%0ARewriteCond%20%25%7BHTTP_HOST%7D%20%5Emonsite.com%20%5BNC%5D%0ARewriteRule%20%5E(.*)%24%20http%3A%2F%2Fwww.monsite.com%2F%241%20%5BL%2CR%3D301%5D”/]

Redirect the www address to the one without www

On the other hand, if you don’t want www in front of your site’s name (as for WPMarmite), it is possible to redirect to the version without www.

Insert the following code in the .htaccess file:

pastacode lang=”apacheconf” manual=”%23%20Redirection%20du%20site%20with%20www%20vers%20la%20version%20without%20www%0ARewriteEngine%20on%0ARewriteCond%20%25%7BHTTP_HOST%7D%20%5Ewww%5C.monsite%5C.com%20%5BNC%5D%0ARewriteRule%20%5E(.*)%24%20http%3A%2F%2F%2F%2Fmonsite.com%2F%241%20%5BL%2CR%3D301%5D” message=”Replace monsite.com with your domain name” highlight=”” provider=” manual”/]

Warning: Do not use this code with the previous one otherwise your site will suffer from a redirect loop (because the version without www will redirect to the version with www which will redirect to the version without www, etc.)

Redirect to HTTPS

If you have set up an SSL certificate on your site to switch to HTTPS, you must be sure that all your visitors are browsing the secure version of your website.

Otherwise, sensitive information could be recovered by hackers (e.g. personal or bank data).

Use the following code to switch your entire site to HTTPS:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Redirection%20vers%20HTTPS%20%0ARewriteCond%20%20%20%20%20%20%25%7BSERVER_PORT%7D%20%5E80%24%0ARewriteRule%20%20%20%20%20%20%5E(.*)%24%20https%3A%2F%2F%2F%25%7BSERVER_NAME%7D%25%7BREQUEST_URI%7D%20%5BL%2CR%5D”/]

Force the download of specific files

When you want to download a file from a site, your browser sometimes tries to open it to display it.

Personally, I find this convenient for PDF files – however, it is very unpleasant for other types of files.

Insert the following code so that your visitors can directly download the files with these extensions (modify them as you wish):

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Forcer%20le%20t%C3%A9l%C3%C3%A9l%A9chargement%20pour%20ces%20types%20de%20fichiers%0AAddType%20application%2Foctet-stream%20.doc%20.docx%20. xls%20.csv%20.mp3%20.mp4″/]

Create a custom maintenance page

To create a maintenance page, you can use the following code:

# Page de de maintenance
RewriteEngine on
RewriteCond %{REQUEST_URI} !%2Maintenance.html$
RewriteCond %%{REMOTE_ADDR} !^xxx\.xxx\.xxx\.xxx
RewriteRule $  /maintenance.html [R=302,L]

For this to work, you must:

  • Create a maintenance .html file with content indicating that the site is being maintained.
  • Add your IP address in line 4 (keeping the “\”) to allow you to access the site (discover your IP address on this website).

When the maintenance is finished, put “#” in front of each line to comment them.

Enable caching

The.htaccess file allows you to cache some files on your site in your visitors’ browser for faster load time.

Indeed, the browser will not need to re-download the files in its caching system.

To do this, insert the following code:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Mise%20en%20cache%20des%20fichiers%20in%20le%20navigateur%0A%3CIfModule%20mod_expires.c%3E%0AExpiresActive%20On%0AExpiresDefault%20%22access%20plus%201%20month%22%0A%0A%0AExpiresByType%20text%2Fhtml%20%22access%20plus%200%20AExpiresByType%20%22%20text%2Fxml%20%20AexpiresByType%20appfont-ttf%20%22access%20plus%201%20month%20month%22%0AExpiresByType%20font%2Fopentype%20%22access%20plus%201%20month%20month%22%22%0AExpiresByType%20plus%20Application%2Fx-font-woff2%20%22access%20plus%201%20month%20month%22%0AExpiresByType%20image%2Fsvg%2Bxml%20%22access%20plus%201%20month%22%0AExpiresByType%20application%2Fvnd.ms-fontobject%20%22access%20plus%201%20month%20month%22%0A%0A%0AExpiresByType%20image%2Fjpg%20%20%22access%20plus%201%20month%22AExpiresByType%20%20Axpires%20image%201%20month%22%0AExpiresByType%20image%2Fgif%20%22access%20plus%201%20monthshockwave-flash%20%22access%20plus%201%20week%22%0AExpiresByType%20image%2Fx-icon%20%20%22access%20plus%201%20week%22%0A%0A%3C%2FIfModule%3E%0A%0A%23%20En-t%C3%AAtes%0AHeader%20unset%20ETag%0AFileETag%20None%0A%0A%0A%3CifModule%20mod_headers.c%3E%20%20%20%0A%3CfilesMatch%20%22%5C.(ico%7Cjpe%3Fg%7Fg%7Cpng%7Cgif%7Cswf)%24%22%3E%20%20%20%0A%20%20%20%20%20Header%20set%20Cache-Control%20%20%22public%22%20%20%0A%2FilesMatch%3E%20%20%0A%3CfilesMatch%20%22%5C.(css)%24%24%22%3E%20%20%20%20%0A%20%20%20%20%20Header%20set%20Cache-Control%20%20%22public%22%20%20%0A%3C%2FilesMatch%3E%20%20%0A%3CfilesMatch%20%22%5C.(js)%24%24%22%3E%20%20%20%0A%20%20%20%20%20Header%20set%20Cache-Control%20%20%22private%22%20%20%0A%3C%2FilesMatch%3E%20%20%0A%3CfilesMatch%20%22%5C.(x%3Fhtml%3F%7Cphp)%24%22%3E%20%20%20%20%20%20Header%20set%20Cache-Control%20Cache-Control%20%20%22private%2C%20must-revalidate%22%0A%3C%2FilesMatch%3E%0A%3C%2FifModule%3E”/]

Caching of files will be effective for the time specified for each file type or until the visitor clears his caching system.

Enable compression

In addition to everything we have seen so far, it is possible to compress some resources before they are transferred from the server to the browser.

And when I say file compression, I mean faster loading page time. I therefore recommend that you implement this code to give your site a boost:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Compressions%20des%20fichiers%20statiques%0A%3CIfModule%20mod_deflate.c%3E%20%0A%20%20%20%20%20AddOutputFilterByType%20DEFLATE%20text%2Fxhtml%20text%2Fhtml%20text%2Fplain%20text%2Fxml%20text%2Fjavascript%20application%2Fx-javascript%20text%2Fcss%20%0A%20%20%20%20%20%20%20BrowserMatch%20%5EMozilla%2F4%20gzip-only-text%2Fhtml%20%0A%20%20%20%20%20BrowserMatch%20%5EMozilla%2F4%5C.0%5B678%5D%20no-gzip%20%0A%20%20%20%20%20%20BrowserMatch%20%5CbMSIE%20!no-gzip%20!gzip-only-text%2Fhtml%20%0A%20%20%20S andEnvIfNoCase%20Request_URI%20%5C.(%3F%3Agif%7Cjpe%3Fg%7Cpng)%24%20no-gzip%20dont-vary%20%0A%20%20%20%20%20Header%20append%20Vary%20User-Agent%20env%3D!including-vary%20%0A%3C%2FIfModule%3E%20%20%0A%0AAddOutputFilterByType%20DEFLATE%20text%2Fhtml%20%20%0AAddOutputFilterByType%20DEFLATE%20text%2Fplain%20%20%0AAddOutputFilterByType%20DEFLATE%20text%2Fxml%20%20%0AAddOutFilterByType]

Disable access to some scripts

To work, WordPress uses scripts located in the wp-includes directory. However there is no reason to access it directly. Use this code to limit access:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Block%20use%20of%20certain%20scripts%0ARewriteEngine%20On%0ARewriteBase%20%2F%0ARewriteRule%20%5Ewp-admin%2Fincludes%2F%20-%20%5BF%2CL%5D%0ArewriteRule%20!%5Ewp-includes%2F%20-%20%5BS%3D3%5D%0ARewriteRule%20%5Ewp-includes%2F%5B%5E%5E%2E%2F%5D%2B%5B%5C.php%24%20-%20%5BF%2CL%5D%0ARewriteRule%20%5Ewp-includes%2Fjs%2Ftinymce%2Flangs%2F.%2B%5C.php%20-%20%5BF%2CL%5D%0ARewriteRule%20%5Ewp-includes%2Ftheme-compat%2F%20-%20%5BF%2CL%5D”/]

You can find out more in the codex.

Protection against file injection

Hackers may attempt to send files to your server to take control of your site. To prevent them to do so, you can include this code in your.htaccess file:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Protection%20contrast%20les%20injections%20de%20fichiers%0ARewriteCond%20%25%7BREQUEST_METHOD%7D%20GET%0ARewriteCond%20%25%7BQUERY_STRING%7D%20%5Ba-zA-Z0-9_%5D%3Dhttp%3A%2F%2F%2F%20%5BOR%5D%0ARewriteCond%20%25%7BQUERY_STRING%7D%20%5Ba-zA-Z0-9_%5D%3D(%5C.%5C.%2F%2F%2F%3F)%2B%20%5BOR%5D%0ARewriteCond%20%25%7BQUERY_STRING%7D%20%5Ba-zA-Z0-9_%5D%3D%2F(%5Ba-z0-9_.%5D%2F%2F%3F)%2B%20%5BNC%5D%0ARewriteRule%20. *%20-%5BF%20]

Protection against other threats

On Facebook, Richard told me that it was possible to protect yourself from “clickjacking” and other threats by adding a few lines in the.htaccess file.

For your information, clickjacking is a technique that makes it possible to make a visitor believe that he is on your site when this is not the case thanks to frame or iframe tags.

The following code protects you from clickjacking, fights other threats and blocks content in the event of an XSS attack.

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Protections%20 diverses%20(XSS%2C%20clickjacking%20and%20MIME-Type%20sniffing)%0A%3CifModule%20mod_headers.c%3E%0AHeader%20set%20X-XSS-Protection%20%20%221%3B%20mode%3Dblock%22%0AHeader%20always%20append%20X-Frame-Options%20SAMEORIGIN%0AHeader%20set%20X-Content-Type-Options%3A%20%22nosniff%E2%80%9D%0A%3C%2FifModule%3E”/]

.htaccess in wp-admin

wp-admin is the den of your site. The place where you go to write posts, configure your menus, set your theme and much more.

It goes without saying that no unauthorized persons should enter this sanctuary.

Here is what you can do to harden security with a.htaccess file that you will have placed in the wp-admin folder of your site.

Limit access to site administration

Only people with the listed IPs will be able to access the wp-admin folder. Rather convenient to prevent strangers from connecting to your site (even if they have the right password).

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%3CLimit%20GET%20POST%20PUT%3E%0Aorder%20deny%2Callow%0Adeny%20from%20all%0A%23%20IP%20Alex%0Aallow%20from%20xxx.xxx.xxx.xxx.xxx%0A%23%20IP%20of%20Nico%0Aallow%20from%20xxx.xxx.xxx.xxx%0A%23%20IP%20of%20other%20point%20ofacc%C3%A8s%0Aallow%20from%20xxx.xxx.xxx.xxx.xxx%0A%0A%3C%2FLimit%3E%0A “/]

Add a second authentication

When you connect to the administration of a WordPress site, you use a username and a password. Well, it is possible to add a second one thanks to the.htaccess file and another file.

First, create a file named.htpasswd in the wp-admin directory and insert a couple of username and password.

If you need to create several users, repeat the operation and add the new ID/password pair within a new line.

For example, you can get this kind of file:

pastacode lang=”apacheconf” message=”Fictitious content of a file.htpasswd” highlight=”” provider=”manual” manual=”alex%3AieS547B1UxY8M%0Anico%3ArSqEJf0SeTlRs”/]

Then insert the following code into the.htaccess file:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Second%20authentication%20for%20administration%0A%0A%3CFiles%20admin-ajax.php%3E%0AOrder%20allow%2Cdeny%0AAllow%20from%20all%0ASatisfy%20any%20%0A%0A%3C%2FFiles%3E%0A%0AAuthName%20%22Connection%20%C3%A0%20l administration%22%0AAuthType%20Basic%0AAuthUserFile%20%22%2Fchemin%2Fplet%2Fverse%2Fle%2Filehtpasswd%22%0A%0A%0ARequire%20valid-user”/]

The sensitive point of this manipulation is to enter the full path of the.htpasswd file. To find it for sure, create an info.php file and insert the following code:

pastacode lang=”php” message=”Place the file info.php in wp-admin” highlight=”” provider=”manual” manual=”%3C%3Fphp%20echo%20%22%20%22%20Chemin%20%C3%20%A%20%20copier%20%3A%20%22%20realpath(‘.htaccess’)%3B%20%3F%3E”/]

Go to yourwebsite.com/wp-admin/info.php and you will get the real path of the.htpasswd file to place in the.htaccess file. Delete theinfo.php file once you have obtained the right path.

Update: If you insert this code as it is, AJAX requests will no longer work. 

If you have understood everything I just mentioned, you should have double authentication ready to access your WordPress administration! Well done 🙂

Come on, let’s move on.

.htaccess in wp-includes

Block direct access to PHP files

Create a .htaccess file in wp-includes and paste the following code into it to prevent PHP files from being loaded directly:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Block%20les%20acc%C3%A8s%20directs%20aux%20fichiers%20PHP%20(Merci%20%C3%A0%20Sucuri)%0A%3CFiles%20wp-tinymce.php%3E%0Aallow%20Aallow%20from%20all%0A%3C%2FFiles%3E%0A%3CFilesMatch%20%22%5C.(%3Fi%3Aphp)%24%22%3E%0A%20%20%3CIfModule%20!mod_authz_core.c%3E%0A%20%20%20%20%20%20Order%20allow%2Cdeny%0A%20%20%20%20%20Deny%20from%20all%0A%20%20%20%3C%2FIfModule%3E%0A%20%20%3CIfModule%20mod_authz_core.c%3E%0A%20%20%20%20%20%20Require%20all%20denied%0A%20%20%20%3C%2FIfModule%3E%0A%3A%3C%2FFilesMatch%3E%0A%3CFiles%20wp-tinymce.php%3E%0A%20%20Allow%20from%20all%0A%3C%2FFiles%3E%0A%0A%3CFiles%20ms-files.php%3E%0A%20%20Allow%20from%20all%0A%3C%2FFiles%3E”/]

The code above is provided by the Sucuri plugin. In addition, I advise you to subscribe to their service to be OK in terms of security.

.htaccess in wp-content

Block direct access to PHP files

For the wp-content folder, the code is similar, minus the exceptions:

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Block%20les%20acc%C3%A8s%20directs%20aux%20fichiers%20PHP%20(Merci%20%C3%A0%20Sucuri)%0A%3CFilesMatch%20%22%5C.(%3Fi%3Aphp)%24%22%3E%0A%20%20%20%3CIfModule%20!mod_authz_core.c%3E%0A%20%20%20%20%20Order%20allow%2Cdeny%0A%20%20%20%20%20%20%20Deny%20from%20all%0A%20%20%3C%2FIfModule%3E%0A%20%20%20%3CIfMod_authz_core.c%3E%0A%20%20%20%20%20%20Require%20all%20denied%0A%20%20%20%3C%2FIfModule%3E%0A%3A%3C%2FFilesMatch%3E”/]

.htaccess in wp-content/uploads

Block direct access to PHP files

Also with this code, protect the folder where the media are stored to prevent PHP files from being executed by someone else (a bad hacker for example).

pastacode lang=”apacheconf” message=”” highlight=””” provider=”manual” manual=”%23%20Block%20les%20acc%C3%A8s%20directs%20aux%20fichiers%20PHP%20(Merci%20%C3%A0%20Sucuri)%0A%3CFilesMatch%20%22%5C.(%3Fi%3Aphp)%24%22%3E%0A%20%20%20%3CIfModule%20!mod_authz_core.c%3E%0A%20%20%20%20%20Order%20allow%2Cdeny%0A%20%20%20%20%20%20%20Deny%20from%20all%0A%20%20%3C%2FIfModule%3E%0A%20%20%20%3CIfMod_authz_core.c%3E%0A%20%20%20%20%20%20Require%20all%20denied%0A%20%20%20%3C%2FIfModule%3E%0A%3A%3C%2FFilesMatch%3E”/]

Conclusion and resources to go further

Although a lot has been covered in this article, it is possible to go further in the configuration of your.htaccess file.

These include the WordPress Codex, Apache documentation (the software that runs your server) or the Perishable Press blog (they even wrote a book about it).

I would like to remind you to make your changes with the utmost care. Errors or incompatibilities can occur depending on the web hosting provider you are using on your site.

Always keep a backup of the original.htaccess file to restore it in case of a problem.

Well, that was quite a post, wasn’t it?

Thank you for reading it until the end 🙂

And if you are used to using.htaccess files on your websites, share your snippets in the comments below 😉