Some htaccess hack for WordPress security

Published Dec 09, 2017
Some  htaccess hack for WordPress security

Security in wordpress is taken very seriously by WordPress Core team. But with any other system they are potential security issue that may arise if some basic security precautions aren’t taken. So now we are going to take look some htaccess hack for WordPress security it will reduce some specific type of security issues

Prevent Execution and access of WP-Includes

WordPress is Open source so everyone knows the file structure of the WordPress. So we have to prevent access of not intended to be access by any user. One way to do that is to block those scripts with mode rewrite in .htaccess file


Please add your code outside of # BEGIN WordPress and # END WordPress because WordPress anything rewrite within these tags

This won't work well on Multisite, as RewriteRule ^wp-includes/[^/]+.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work.

# Block the include-only files.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN WordPress

Prevent Execution of PHP Files in WP-Contents/uploads folder

  Almost Upload directory is writable in server it’s where all files uploaded remotely. Must prevent upload PHP files and execution in this directory

You can do this by placing .htaccess file at the root of uploads directory with below code

Note: This can break your theme if it requires PHP execution in UPLOADS. If you apply it and the site breaks, remove it and the site will reappear.

# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
   deny from all

Prevent accessing WP-Config file

WP-Config contains all sensitive data including Database username password and etc so must prevent access. If you use server with .htaccess you can put this in that file deny access to anyone

<files wp-config.php>
order allow,deny
deny from all

Block Black list IPs and Bots 

Block all dangerous and black listed IP with .htaccess. You able to track all visited IP with PHP. Save in database or Log in to files to later use Then check with Different Services like Project Honey Pot or Use Safe Browsing APIs (v3) - Legacy . Then just add in the .htaccess file to avoid visit from these IPS. Replace your blacklisted IPs with example IPs in the below code

order allow,deny
allow from all
deny from 123.456.789
deny from 93.121.788
deny from 223.956.789
deny from 128.456.780

Block Comment spammers on your site

Below code block comments without refer .replace your site URL Instead of example URL

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

P revent from brute force attacks

Add authentication to wp-login.php file it will reduce the risk of brute force attack

Add Basic authentication with .htaccess. before add .htaccess code you must create password file. you can create either in command line or manually. Easy to create manually.

  • create .htpasswd(choose name whatever)
  • Then add your username password like username:password inside the file
  • Copy file full path
<Files wp-login.php>
AuthType Basic
AuthName "Password Protected"
AuthUserFile /full/path/to/.htpasswd
Require valid-user
Satisfy All
  • Add Digest authentication before you have to create password file. To create password file
  • Navigate to your apache/bin folder in CMD.
  • Then run htdigest [- c] passwdfile realm username
  • Then add below code in to your .htaccess file
<Files wp-login.php>
AuthType Digest
AuthName "Password Protected"
AuthDigestDomain /wp-login.php
AuthUserFile /full/path/to/.htpasswd
Require valid-user
Satisfy All

More Details about digest authentication mod_auth_digest and htdigest

Try Above things will not secure 100% but will help you to improve some security issues.

Discover and read more posts from Mohammed Misyaath
get started