Ever since the recent scare of a large-scale super botnet attack focused directly on WordPress installations, I’ve received several messages from clients and just random people in our area. They contacted us out of concern for the safety of their own websites and wondered if they sitting ducks. Initially, I gave them some hope by explaining that the people with the biggest problem are those who set their administrator’s username to “admin” and/or used a weak password such as “password1” (which is more common than you might think).

protect-wordpressStill, this recent attack is but one example of the many ways a hacker could break into your website and use it for malicious reasons. There are also many ways you can protect WordPress and I recommend you implement as many of them as you possibly can. If you don’t know how, you could literally spend hours scouring the internet for solutions and configuring them properly. The best way, however, is to hire a professional.

That said, this article is going to show you how you can tighten security using a little file in the root directory of your WordPress installation called .htaccess. If you are using a Linux-based server for your web hosting, then you are most likely running Apache Web Server software and this tutorial will help you. If you are running some other web server software or hosted on a Windows server, this tutorial will not help you. The .htaccess file is used to secure specific directories with various restrictions.

Before continuing, you will need your local IP address. To find out what this is, simply visit http://whatismyipaddress.com/

Step One

Backup your existing .htaccess file. You can simply copy and rename it, or download a copy of it and have it ready in the event you need to re-upload it.

Step Two

Restrict access to the WordPress administration area. If you are running a single-administrator site (you), this modification to only allow access from your IP address will help protect the WordPress backend. In the code below, replace #.#.#.# with your IP address. Add this at the top of your .htaccess file:

order deny,allow
allow from #.#.#.#
deny from all

Step Three

Protect your wp-config.php file. The wp-config.php file contains information that allows your WordPress installation to communicate with the database where all of your site’s data and settings are stored. As you might imagine, this information could be dangerous if obtained by the wrong people. Add the following code right after the code provided in Step Two:

order allow,deny
deny from all

Better Method: There is a better way of protecting your wp-config.php file, but it doesn’t involve editing .htaccess. The best practice would be to move wp-config.php out of your site’s root folder and put it back one level — that is, above the public site root directory (often titled “public_html” or “www”). WordPress will automatically find it and use it from there.

Step Four

Protect your site from spammers. This isn’t a catch-all system for stopping spammers from hogging your site’s resources. However, it is a good first line of defense against them. Spammers often use bots to find victims and do so by hiding where they are coming from. This little trick will stop these bots right from the get-go. Add this code right after the code provided in Step Three:

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Step Five

Protect internal WordPress directories. There’s no reason why anyone should be able to manually browse your directories. Those who know about the WordPress directory structure could use this to determine what plugins you are using and find weaknesses by which to exploit your website. Place the following code directly after the code provided in Step Four:

Options All -Indexes

Step Six

Protect your .htaccess file. Now that you have protected many aspects of your website, you need to make sure a malicious user can’t access your .htaccess file and reverse everything you’ve just done. Add the following code to the top of your .htaccess file:

order allow,deny
deny from all
satisfy all

Alternate method: You could also rename your .htaccess file, thus thwarting anyone look specifically for that file:

AccessFileName hahaha.loser


As noted previously, this is not the ultimate solution to securing your website. But it certainly is a big step in the right direction. Couple the steps above with some other security measures, including some plugins, can help you protect WordPress and minimize the danger of your site getting hacked.

One important note: Some plugins rely on access to the .htaccess file (such as caching plugins). You may have to remove some of the above settings in order to properly use certain plugins.

Stay safe!

Leave a Reply

Your email address will not be published. Required fields are marked *