WordPress is, unquestionably, the best Content Management System (CMS). A large number of websites are powered by it and it is the only platform for both technical and non-technical individuals to build different genres of websites. WordPress supports eCommerce, blogging, portfolio and various other varieties of websites.
Most WordPress website-owners are from the non-technical background. Thus, these are the common target of hackers. There is a magic file, named .htacces, which helps users secure their WordPress sites from the clutch of unauthorized users. However, apart from providing security, .htaccess offers a number of benefits as well.
.htaccess file is an optional setting or configuration file, which helps the Apache web server to interpret each directory separately. As a user, you can store different server settings here. By default, it resides in the base WordPress installation root directory. Through this configuration file, you can override your server’s global settings.
Accessing .htaccess file: Go to Settings > “Show Hidden Files” > Save
This will display the hidden files in the CPanel.
However, before you start, make a backup of the current .htaccess in your system. This will help you roll back to the previous state in case of any disaster.
Now, as you edit .htaccess, the following code will be generated by WordPress on almost every occasion.
Now, let’s start editing the file.
Protect the .htaccess file first: Just copy and paste the following snippet into your .htaccess file and protect it from being accessed by unauthorized users.
Cut off hotlinking with /.htaccess/
Your images and other resources may be used by other bloggers and websites, along with displaying your URLs. This means the resources are called from your server. When a user loads these images on his site, it eats up your bandwidth and the condition is called hotlinking.
To avoid this unwanted circumstance, you should enable hotlink protection by using the .htaccess file. Just add the following content in your .htaccess file.
/.htaccess/ also protects your /wp-config.php file/
The wp-config.php file contains sensitive information about your database. In short, the information stored in this file is used to store and retrieve data from the database.
Prevent the browsing of your directory listing
If you enable this, your visitors will not be able to see your directory listing. Just insert the following code.
Restricting access to the /wp-admin directory/ and the admin area
The admin area is a confidential zone in your website. It provides you with the full access to all administrative functions. Prevent public access to this sensitive zone by setting wp-admin access to a particular IP address only. All you need to do is invoking the following code to your .htaccess file.
Stopping spammers from using your /.htaccess file/
Just like those other site owners, spammers too, use up your site’s bandwidth and resources. There are many plugins readily available to settle this problem. Use the following code to stop spammers from affecting your site’s performance.
Disabling PHP execution for few WordPress directories
One of the best ways to boost your WordPress site’s security is by disabling PHP execution for a selected few WordPress directories. Create a blank .htaccess file on your local machine and then paste the following code in the directory.
Setting up 301 Redirects
301 Redirect means, you’ve moved any resource or change the URL. It tells visitors that a content has been shifted to a new location. Just paste the code given below to set up 301 Redirect through your .htaccess file.
Blocking malicious bots and restricting suspicious IP addresses
The .htaccess file can help you block the suspicious IP addresses as well as the bad bots from visiting your site. It can also deny your site’s access to multiple IP addresses at a time. The code for making .htaccess do the task is as follows:
Increase your WordPress file upload size
There are several ways to increase the maximum limit of file upload size for your WordPress site. Use the following code, it is helpful even for websites that run on shared hosting.
Remember, the above code just tells your web server to use the mentioned values to increase the file upload size along with the maximum execution time in WordPress.
Providing protection to the /wp-content/
wp-content is the folder that saves all your plugins, themes, media and even cached files. So, it is the natural target for the hackers, as well as spammers. Create a separate .htaccess, then copy and paste the snippet given below. Now, save the file in the wp-content directory.
Disable access to /XML-RPC file/
The xmlrpc.php file allows third-party apps to connect to a WordPress site. If your site is not using any third-party app, then better you deactivate the feature. Just add the following code to your .htaccess for the purpose.
Protecting the /wp-include file/
The following snippet will block the entire area of your WordPress site, which contains the sensitive files like wp-include and wp-admin, from being accessed by other users.
Protection against script injections
Hackers are known to inject malicious codes into your PHP files. In fact, many wrongdoers attempt to an owner’s WordPress REQUEST and GLOBAL variables by injecting malicious codes. To prevent this, just use the snippet given below.
To make your WordPress site faster, you can enable browser caching by using the following code. It is also known as client-site caching or browser caching.
Handling custom error pages
The .htaccess file helps you redirect the custom error pages for the following errors, 404, 403 and 500. Just insert the following snippet to accomplish the task.
Hope these points will helps you, to protect WordPress sites from hackers as well as spammers. For any explanation or help, do not hesitate to get in touch with us anytime.