How To Buff Your WordPress Security Using .htaccess

Having WordPress as your main engine for your blog is a good thing, but there are some security settings you need to take care of. In this tutorial we will show you how to buff your WordPress security using .htaccess file. Before we proceed, we urge you to make a backup of your full website (files and database).

.htaccess is a configuration file for Apache that allows you to control the access to the current directory. It is used to redirect to another web page, to allow/deny traffic from an IP and many more setting. In today’s tutorial we discuss the security settings that you can make to buff your WordPress installation. These settings are highly effective for your blog’s security. If you have a hosting plan, you can use the File Manager from cPanel account to make the modification needed to increase your WordPress security.

1. Prevent any access and execution of php script files in wp-content/uploads folder

Your uploads folder is public. That’s where WordPress uploads all your media that you put in your posts. If it’s insecure, then it represents a threat to your blog installation.

# Deny access to any php files 
<Files *.php>
deny from all

First, you need to log in to your cPanel account and then go to File Manager. Navigate to wp-content folder and go to uploads. If there is no .htaccess file, create it by clicking the “+ New File“, name it “.htaccess“. Now that the file is in uploads directory, we now need to copy paste the code above and click “Save Changes“.

2. We Deny Any Exterior Acces To wp-config.php

wp-config.php is a core WordPress configuration file that stores sensitive information regarding your MySQL Database. Therefore it is important to secure it so no one from exterior can access it. We will do that by modifying the .htaccess file in WordPress installation root folder. We just need to add these few line in the file.

<files wp-config.php>
order allow,deny
deny from all
3. Let’s Protect Our .htaccess file!

Typically the root directory’s .htaccess file should have 644 permission. This means it is only accessible for server user. It doesn’t allow access from nobody else, except the server side programs. If this file accidentally gets 777 permission then the code below rewrites the permissions as it should be. Just copy paste the code and then press “Save Changes“.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
protect htaccess file by copy paste code

protect htaccess file by copy paste code

4. Let’s block any cross-site scripting (XSS)

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.  To secure it we need to add some lines of code to .htaccess file located under root’s folder which will make sure that every input will be secured.

# Blocks XSS attacks
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
block xss cross-site scripting

block xss cross-site scripting

5. Block any access from outside to wp-includes folder

wp-includes folder has some important WordPress core files and it is important to secure it, so outside access will be denied. We do this by adding some security code lines in our .htaccess root file.

# Blocks all wp-includes folders and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
block access to wp-includes folder

block access to wp-includes folder

6. Restrict any direct access to plugins and theme’s php files and folders

This needs to have security codes. We make sure we restrict any direct outside access to these important WordPress folders. It’s best to delete those plugins and themes that aren’t used, because they might have vulnerabilities flaws and can act as a backdoor for anybody to take control and gain access to your website. IF you want to exclude some files and/or folders from direct access make sure you modify file/to/exclude and directory/to/exclude with the path to exclude.

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
restrict any direct acces to plugins and themes folders

restrict any direct acces to plugins and themes folders

Don’t forget that if you want to exclude some files and folders, you can modify the lines file/to/exclude and directory/to/exclude with the path of those files and directories. If you don’t need to exclude anything then add a # at the begining of the lines.

7. If You Have A Fixed IP Then Allow Access To /wp-admin Only For Your IP (Optional)

Access to /wp-admin is available for everyone. It is public and everyone can access it. So if you have a fixed IP from your ISP (Internet Service Provider) it is better to allow access only from that IP. If you don’t have a fixed IP, then you should use Google Authenticator – WordPress Two Factor Authentication (2FA) plugin.

In case you don’t know your IP address, you can find it by accessing Replace xxx.yyy.zzz with your IP.

order deny,allow
allow from xxx.yyy.zzz.www (your ip1)
allow from xxx.yyy.zzz.www (your ip2)
deny from all
allow access from fixed IP

allow access from fixed IP

8. Let’s Block MySQL Injection, RFI, base64

MySQL Injection is a high level hacking method. If a WordPress plugin is not secured, these lines of code will make it so. Essentially every input will be secured. It will help your website to be safe from any attempts of hacking, even if you have a plugin that is not secured. These lines of code will be added to the root’s .htaccess file (under the public html folder).

# Block MySQL injections, RFI, base64, etc.
RewriteEngine On
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
block mysql injection RFI base64

block mysql injection RFI base64

9. File Injection Protection

File Injection is a hacking method used to gain access and take control over your site. If your website allows file uploads (like images), then this can be a vulnerability for your website. With these lines of code we make sure that you’ll be protected against file injection methods.

# File injection protection
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
file injection protection

file injection protection

10. Block user/author list

Sometimes a hacker can try a brute-force attack by knowing the username (author name or user name). So to prevent a hacker to find out that information we add some code lines in our root’s folder .htaccess file to protect the user/author list, even if you don’t have a multi user website. To do that, replace the with your domain address (in our case it will be!

# Block User list Phishing Requests
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* [L,R=302]
block user author list

block user author list

11. X-Security Headers & Clickjacking Protection

This type of hacking is quite common online. Basically by adding these lines to your root’s folder .htaccess file you will be protected against these types of hacking.

Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block;"
Header set X-Content-Type-Options nosniff
x-security headers and clickjacking protection

x-security headers and clickjacking protection

In Conclusion

Although it’s easy to have a WordPress site, in a matter of minutes, to make it secured can be really time consuming. These lines of code can buff your WordPress security in a matter of minutes. If you have any question please follow us on Facebook, we respond as fast as we can!

%d bloggers like this: