here's my another great tutorial on securing wordpress using top .htaccess codes. each of them has great uses like securing admin panel with additional security layer and limiting login to I.P access etc..
Before we start making any changes I advice you to first backup your current .htaccess file. Just download it and save it somewhere we will use it in case something went wrong. This tutorial will include securing admin area, securing wp-config, securing .htaccess itself and much more !
- Disable PHP Execution.
Ok lets get started and first disable PHP execution in some WordPress Directories. This will disable malicious PHP code like php shells, backdoors they won't open up like a shell or a backdoor and they will become a useless piece of code. Create a new file and paste this code and upload it in directories where you want to disable PHP Execution. I suggest you to upload it in wp-content and wp-includes folder.
Files *.php
deny from all
Files
- Protect wp-config.php from Hackers.
By default, wp-config.php is located in the Root Directory of the website which is home/username/public_html/wp-config.php and no one can view or download it, but if someone is in your server then he can easily see it and can connect to your Database by using the credentials. So we have to secure it. If a site hosted on your server and it's vulnerable then you're in danger too. I'm talking about Symlink attack, you can Google. Add these lines in your .htaccess.
<files wp-config.php>
order allow,deny
deny from all
</files>
- Banning IP Addresses.
You can also ban suspicious IPs or if you're thinking that someone can harm your website and you have his IP Address then you can block him easily. You can do this by simply adding this code in your .htaccess. Replace xxx.xxx.xxx.xxx with the victim's IP address.
<Limit GET POST>
order allow,deny
deny from xxx.xxx.xx.x
allow from all
</Limit>
- Disabling Image Hotlinking.
One can steal your Bandwidth by hotlinking an image because image will load from your website and if your website has huge traffic and has many photos then you should disable it by adding few lines of code in your .htaccess file. Replace zaidsparrow.com with your own domain name.
#disable hotlinking of images with forbidden or custom image option
RewriteEngine on
RewriteCond %{HTTPREFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?zaidsparrow.com NC
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com NC
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?feeds2.feedburner.com/ZaidSparrow NC
RewriteRule \.(jpg|jpeg|png|gif)$ – NC,F,L
- Disable Directory Browsing.
This can help you in many ways like after doing this no one will be able to view your theme files or plugin files and you can also prevent FPD(Full Path Disclosure) Attack by simple adding this 1 line of code in your .htaccess file.
Options -Indexes
6.Password Protecting WP-Admin Login Area
This is must if you want a real secured WordPress Site. This thing can not be bypassed easily and this works like an additional login means to view or login to wp-admin you must first enter a password to view wp-admin page or you will get an error. To do this first we have to create a file and name it .htpasswd it's case sensitive. After creating it, type your username and password there you can also use password encryption and you can also do this online by using this Link.
zaidsparrow:zaidsparrow
username:password
Note: You must upload .htpasswd file to a secure directory where normal users aren't allowed. A secure directory is like:
/home/yourusername/.htpasswd/publichtml/wp-admin/passwd
Just don't upload .htpasswd file in the public_html folder. Now we have to upload a simple .htaccess file in wp-admin folder and whenever you want to login to wp-admin area, page will require a username and password. make a new file, name it .htaccess and upload to wp-admin folder using File Manager or FTP.
AuthName "Top Secret Area"
AuthUserFile /home/yourdirectory/.htpasswd/publichtml/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user putyourusernamehere
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
Now, don't forget to replace yourdirectory with your hosting username and replace putyourusernamehere with your login username. For Example:
AuthName "Top Secret Area"
AuthUserFile /home/zaidsparrow/.htpasswd/publichtml/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user zaidsparrow
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
That's all. You've successfully secured your WP-Admin area with an additional login.
- Limiting WP-Admin to Selected IPs.
With this, only people you've selected via IP Addresses will be able to view or login to WP Admin page. i don't prefer this because after doing this you won't be able to login from different computers but you can add different IPs in the code. If you think your web is in danger and can get hacked then I prefer using this code. To Limit IPs, just copy and paste this code into your .htaccess file.
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Top Secret Area"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# to whitelist Number 1 IP address
allow from xxx.xxx.xxx.xxx
# to whitelist Number 2 IP address
allow from xxx.xxx.xxx.xxx
# to whitelist Number 3 IP address
allow from xxx.xxx.xxx.xxx
</LIMIT>
Add much as you want, just replace xx.xx.xx.xxx with your original IP Address and only those will be able to see WP-Admin login page.
- Protect .htaccess from hackers
.htaccess has helped us and now it's time to safe .htaccess itself. One thing, .htaccess is very powerful one mistake and you're doomed, just keep this in mind while playing with .htaccess double check it before saving. Now Just add this code into your current .htaccess file.
<files ~ "^.\.(HhTtAa)">
order allow,deny
deny from all
satisfy all
</files>
That's all for now buddies! I hope this tutorial helped you.
1 Response
Yeah, thats a great article! thanks!
Share Your Thoughts