I’ve moved my blog, Mukesh Mali from Blogger to WordPress by myself a few months ago and it was a great learning experience. WordPress is no doubt a great blogging platform and I certainly have no regrets on making the move. As many blog owners know (and some of them may have learned the hard way), there are many potential security problems with any blog or website. This is also true with regard to WordPress blogs. In this article, you will learn some easy and simple to apply ways that help you protect your WordPress blog. Implementing them on your blog is a significant step towards making it secure.

When you have an active blog, the last thing you want to stop and worry about is security. Nevertheless, WordPress security is very important to the safety and longevity of your blog. Using WordPress’ .htaccess file, you can tighten your blog’s security and not have to worry about its safety.

What is a .htaccess File?

The .htaccess file is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn “loaded via the Apache Web Server”, then the .htaccess file is detected and executed by the Apache Web Server software. It is often used to specify the security restrictions for the particular directory.

Create a blank .htaccess file. This can be done in Notepad or a comparable simple text editor of your choice (no MS Word does not count although it’s possible). Open Notepad and Click Save, name this file htaccess.txt. If you’re using Windows XP the OS won’t allow you to name a file e .htaccess but don’t worry, you can rename it once it’s been uploaded to your server (no idea how Linux, Vista or OSX handle this).

Protect your WordPress using htaccess

In this article I’m going to show you how to strengthen your site’s security by adding/changing a few lines in this file. Before you make any changes, it might be a good idea to take a backup of your .htaccess. If something gets messed up, you can always replace the hacked .htaccess with the original one.

Prevent Access To wp-content

The wp-content folder contains images, themes and plug-ins and it’s a very important folder within your WordPress install, so it makes sense to prevent outsiders accessing it.

This requires it’s very own .htaccess file which must be added to the wp-content folder, it allows users to see images, CSS etc … but protects the important PHP files:

Order deny,allow
Deny from all
<Files ~ ".(xml|css|jpe?g|png|gif|js)$">
Allow from all
</Files>

Restrict Access to WP Admin directory by IP Address

If you are running a single user blog site, there is no reason to allow others to access WordPress administration panel. You can protect your WP admin from unauthorized access by listing your static IP address in the .htaccess. Here’s the trick

order deny,allow allow
from 117.212.28.23 (replace with your IP address)
deny from all

Disable Hotlinking

Sometimes another site may directly link images from your site. It saves hard disk space by not having to store the images. But your site ends up serving the requests for them, thus using up your precious bandwidth. This is known as ‘hotlinking’. To disable this you can add these lines to the .htaccess

#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?yourdomain.com/.*$ [NC]
#RewriteRule .(gif|jpg)$ – [F]
RewriteRule .(gif|jpg)$ http://www.yourdomain.com/stealingisbad.gif [R,L]

Stop Spammers

Like hotlinking, spammers are notorious to use up your site’s resources. There are a number of ways to identify a potential spammer. One of them is to detect requests with ‘no referrer’. Spammers use bots to post comments on blogs and they come from ‘nowhere’. Add these lines to stop the spammers

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Rewrite URLs

Many content management systems and scripts use very long URLs containing instruction codes and session IDs. You can limit those with search-engine-friendly rewritten URLs, thanks to Apache’s mod_rewrite module and an .htaccess file.

RewriteRule ^documents/([0-9]+)(.*).html$ documents.php?id=$1

Protect WP-Config

wp-config.php is the file in your root directory that stores information about your site as well as database details, this file in particular we would not want to fall into the wrong hands.

In your .htaccess add the following to prevent any access to the wp-config.php file:

# protect wpconfig.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>

Disable Directory Browsing

Someone who knows the directory structure of a WordPress installation, may use his knowledge to do some damage. Besides you should not let them know what plug-ins are you using.

# disable directory browsing
Options All -Indexes

Protect .htaccess itself!

Last thing you want after spending so much time protecting your site with .htaccess, is to leave the file itself open to attack. The following hack prevents external access to any file starting with .hta

# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>

That’s it for now. Remember to test, test and test every time you make changes to your .htaccess file (go to your site, is it still up?). Hope you find these tips useful. Happy blogging!

LEAVE A REPLY

Please enter your comment!
Please enter your name here