If you host your own WordPress most probably you have heard about .htaccess files and all the things you can do with .htaccess files to secure WordPress. If you are not familiar with .htaccess files in relation to WordPress you can go through our definite guide to htaccess and WordPress, where you can find all the information you need about .htaccess files and their usage in WordPress.
Below is a complete .htaccess file for WordPress. This .htaccess file sample is all commented (lines starting with # are comments) so you get a better understanding of what everything is and can quickly modify it to fit your needs and boost the security of your WordPress. As an overview, the below .htaccess files contains the below list of features:
- Protection for all other .htaccess files in WordPress
- Protection for WordPress wp-config.php file
- Allows restrictions to files by file types / extensions
- Limits the size of files that can be uploaded to your WordPress
- Disables directory listing throughout all WordPress directories
- Allows you to block an IP or a range of IP addresses
- Allows you to block bad bots from spidering your WordPress website or blog
- Blocks hotlinking of images and other media content
- Allows you to configure professional looking custom error pages for WordPress
# We start by protecting a number of important WordPress and web server files such as config, ini and log files (this also includes wp-config.php etc)
<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|install\.php|php\.info|readme\.html|bb-config\.php|\.htaccess|\.htpasswd|readme\.txt|timthumb\.php|error_log|error\.log|PHP_errors\.log|\.svn)">
Deny from all
</FilesMatch>
# Limit file upload size. If you do not accept file uploads you can configure this at a minimum as per the below. The below is configured for 1MB.
LimitRequestBody 1024000
# Disable directory listing throughout your WordPress
Options All -Indexes
# Block an IP or range of IPs
# Uncomment the line starting with deny and enter the IP or IP Range and add multiple lines to block multiple IPs or IP ranges
# More info: http://goo.gl/SldfPw
order allow,deny
# deny from 172.16.130.106
allow from all
# If you would like to block Bad bots from accessing your WordPress use the below syntax. Rename the User-Agent in the lines below.
# More info: http://goo.gl/w1Hf6P
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} ^evilbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^spambot [OR]
RewriteCond %{HTTP_USER_AGENT} ^virusbot
RewriteRule ^(.*)$ http://no.access/
# Prevent websites from hotlinking to your WordPress
# More info: http://goo.gl/oa8j8M
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
# Replace www.yourwebsite.com with your website URL
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?www.yourwebsite.com [NC]
#Match all files with the below list of extensions
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
# Configure custom error pages for your WordPress for a more professional look
# More info: http://goo.gl/eeVnXV
ErrorDocument 404 /notfound.php
ErrorDocument 403 /forbidden.php
ErrorDocument 500 /error.php
This .htaccess file should be uploaded to the root of WordPress. If there is already an .htaccess file in the root directory of your WordPress, make a backup of such file and ADD the above example to the already existing content of such file.
It is also important to always test, test and test all of your WordPress sections, pages and functionality once you make a change to the .htaccess file.
