Source:
http://www.elegantthemes.com/blog/tips-tricks/wordpress-htaccess-tips-and-tricks
Configure .htaccess:
The .htaccess file is a configuration file that allows you to control
files and folders in the current directory, and all sub-directories.
The filename is a shortened name for
hypertext access and is supported by most servers.
For many WordPress users, their first meeting with the .htaccess file
is when they customize their website’s permalink settings. To get those
pretty permalinks that we all know and love (e.g.
http://www.elegantthemes.com/sample-post/ instead of
http://www.elegantthemes.com/?p=123), we need to add something like this
to the .htaccess file:
RewriteRule ^index\.php$ - [L] |
RewriteCond %{REQUEST_FILENAME} !-f |
RewriteCond %{REQUEST_FILENAME} !-d |
RewriteRule . /index.php [L] |
If no .htaccess file exists, you can create one yourself and upload
it. All you have to do is create a blank text file, save it as .htaccess
and upload it to the root of your WordPress installation. Be sure to
include the period at the start of the filename (i.e. save the file as
.htaccess and not htaccess).
You also need to ensure your .htaccess file is writeable so that
WordPress can add the appropriate permalink code to your .htaccess file.
WordPress.org
advises file permissions of 644 for the .htaccess file.
The
.htaccess file is a hidden file. You therefore need to ensure your FTP
client or file manager is configured to display the file in your
directory.
The .htaccess file is not only used for permalinks. The file is
better known for its ability to strengthen the security of a website.
Millions of WordPress users use the .htaccess file to protect their
websites from spammers, hackers, and other known threats.
In this article, I would like to share with you several snippets for
.htaccess that will make your website secure. I have also included a few
additional snippets that I believe you will find useful.
You may have noticed in my permalink example above that the code begins with
# BEGIN WordPress and ends with
# END WordPress.
WordPress can update any code that is placed within those tags. You
should therefore add the snippets shown in this article at the top or
bottom of your .htaccess file (i.e. before
# BEGIN WordPress or after
# END WordPress).
Be Careful
The .htaccess file is one of the most temperamental files you will
encounter when using WordPress. It only takes one character to be out of
place for the code to be incorrect. When that happens, it will usually
cause your whole website to go down. It is therefore vital that you copy
the code noted in this article correctly to your own .htaccess file.
Even if you are cautious, accidents can happen, and they frequently do.
Do not cut any corners when working with the .htaccess file. Before
you begin, make a backup of your current working version of .htaccess.
Store it in a safe place on your computer, and if possible, in another
location such as a USB flash drive or on cloud storage.
Whenever you update your .htaccess file on your server, refresh your
website to see if your website is still live. Do not skip this step as
it is vital that you verify your website is still working correctly. If
your website returns a blank screen, immediately revert back to your
saved copy of .htaccess by uploading it over the version with errors.
If you cannot locate your backup file, either upload a blank
.htaccess file or delete the .htaccess file altogether. This will get
your website back online; which will obviously be your priority when
your website goes offline.
Do not take any chances with .htaccess. Always have a back up. You have been warned
1. Protect .htaccess
Due to how much control .htaccess has over your whole website, it is
important to protect the file from unauthorised users. The following
snippet will stop hackers from accessing your .htaccess file. You can,
of course, still edit the file yourself via FTP and through your hosting
control panel’s file manager.
2. Protect WP-Config.php
Another important file is wp-config.php. This configuration file
contains the login information for your WordPress database as well as
other important maintenance settings. It is therefore advisable to
disable access to it.
3. Protect /Wp-Content/
The wp-content directory is one of the most important areas of your
WordPress website. It is where vital files are located such as your
themes, plugins, uploaded media (images and videos), and cached files.
Due to this, it is one of the main targets of hackers. When a spammer
managed to compromise an old website of mine last year, he did it by
uploading a mail script to my uploads folder. He then proceeded to send
out spam mail using my server; which subsequently placed my server on
spam blacklists.
You can tackle threats like this by creating a separate .htaccess file and adding the following code to it:
".(xml|css|jpe?g|png|gif|js)$"> |
You then need to upload this separate .htaccess file to the main
wp-content directory i.e. www.yourwebsite.com/wp-content/. Doing this
will allow media files to be uploaded including XML, CSS, JPG, JPEG,
PNG, Gif, and Javascript. All other file types will be denied.
4. Block Include-Only Files
There are certain files that never have to be accessed by the user. You can block access to these files by adding the
following code to your .htaccess file:
# Block the include-only files. |
RewriteRule ^wp-admin/includes/ - [F,L] |
RewriteRule !^wp-includes/ - [S=3] |
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] |
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] |
RewriteRule ^wp-includes/theme-compat/ - [F,L] |
5. Restrict Access to the Admin Area
Another entry point for hackers is the WordPress admin area. If they
gain access to this area, they can do almost anything to your website.
To make this area more secure, create a new .htaccess file and add the code below to it:
# Limit logins and admin by IP |
Be sure to change 12.34.56.78 to your own IP address (you can find out your IP address at
What Is My IP?). Then upload the file to your website’s /wp-admin/ folder i.e. www.yourwebsite.com/wp-admin/.
This will allow you to access your WordPress admin area, but will block everyone else.
Additional IP addresses can be added for other administrators and
staff. You can do this by adding additional allow lines or listing their
IP addresses in the main allow line and separating them using commas.
For example:
allow from 12.34.56.78, 98.76.54.32, 19.82.73.64 |
6. Ban Someone From Your Website
If you know the IP address of a malicious party, you can completely
ban them from your website using the snippet below. For example, you
could ban someone who always leaves abusive comments or someone who has
attempted to access your admin area.
7. Send Visitors to a Maintenance Page
Maintenance plugins such as
Ultimate Maintenance Mode and
Maintenance
are useful for displaying a temporary message to visitors when you are
developing a website, or when working in the background to update your
website.
Unfortunately, maintenance plugins are of little help if you face the infamous
WordPress White Screen of Death. They only function correctly if your website is working correctly.
If you want to prepare for the worst, I recommend creating a basic
HTML page named maintenance.html that advises visitors that you are
currently experiencing problems with your website, but will be back
online soon. When your website does go down because of a hacking attempt
or because of the White Screen of Death, simply add the snippet below
to your .htaccess file to direct all traffic to your message at
maintenance.html.
RewriteCond %{REQUEST_URI} !/maintenance.html$ |
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123 |
RewriteRule $ /maintenance.html [R=302,L] |
You need to configure the above code for your own website. Change the
html filename to the name and location of your own maintenance file in
the second and fourth row. You also need to add your own IP address to
the third row to ensure that you can access your website whilst the
maintenance message is being displayed to others. The code uses a 302
redirect ensure that the maintenance page itself is not indexed.
8. Disable Directory Browsing
Allowing unauthorised individuals to look at your files and folders
can be a major security risk. To disable browsing of your directories,
simply add this small piece of code to your .htaccess file:
# disable directory browsing |
9. Enable Browser Caching
Browser Caching is something I recently discussed in my article “
Optimize Your WordPress Website Using These Simple Tips“.
Once enabled, browser caching will allow visitors to save items from
your web page so that they do not need to be downloaded again.
It is used for design elements such as CSS stylesheets and media
items such as images. It is a practical solution as when someone uploads
an image to a website, the image is rarely updated again. Browser
caching would therefore allow visitors to load the image saved on their
computer rather than your server. This reduces bandwidth and increases
page loading times.
To enabling browsing caching, all you need to do is add this code to your .htaccess file:
ExpiresByType image/jpg "access 1 year" |
ExpiresByType image/jpeg "access 1 year" |
ExpiresByType image/gif "access 1 year" |
ExpiresByType image/png "access 1 year" |
ExpiresByType text/css "access 1 month" |
ExpiresByType application/pdf "access 1 month" |
ExpiresByType text/x-javascript "access 1 month" |
ExpiresByType application/x-shockwave-flash "access 1 month" |
ExpiresByType image/x-icon "access 1 year" |
ExpiresDefault "access 2 days" |
10. Redirect a URL
301 redirects allow you to inform search engines that a URL has
permanently moved to a new location. They can be used to redirect a
page, folder, or even a completely new website.
They are therefore used whenever the URL of a page changes. This can
be due to changing a domain, changing the permalink structure of your
website, or simply changing the page slug (e.g. changing the page slug
of an article from
my-news to
mygreatnews).
To redirect a location, all you need to do is add a line with
Redirect 301, followed by the old location and then the new location.
You can see how this works in practice below:
Redirect 301 /oldpage.html http: |
Redirect 301 /oldfolder/page2.html /folder3/page7.html |
11. Disable Hotlinking
Hotlinking is a practice in which someone shares an image from your
website by linking directly to the image URL. It commonly occurs on
discussion forums, but many website owners still do it too (which is a
mistake as it means images can be removed from your content at any
time). Hotlinking can have a negative effect on your website. In
addition to slowing your website down, it can also significantly
increase your bandwidth costs with your hosting company.
You can prevent hotlinking by only allowing your own website, and any
others you own, to execute image files. Add the code below to your
.htaccess file to stop others from hotlinking your images. Be sure to
replace the URL’s below with your own website addresses.
RewriteCond %{HTTP_REFERER} !^$ |
RewriteCond %{HTTP_REFERER} !^http(s)?: |
RewriteCond %{HTTP_REFERER} !^http(s)?: |
RewriteRule \.(jpg|jpeg|png|gif)$ http: |
When someone now views an image of yours at another URL, they will
instead be shown the image denoted in the last line of code. This image
can be changed to whatever you want.
* Note that disabling hotlinking may cause some RSS readers to have problems displaying your images from your RSS feed.
I hope you have enjoyed this list of tips and tricks for the
.htaccess file. As you can see, it is a versatile configuration file
that can be used for many things.
If you enjoyed this article, I encourage you to subscribe to the
Elegant Themes Blog.
By Kevin Muldoon (E.T.)
Addendum (no-ref)For useful information on WordPress, please visit:
http://www.wpbeginner.com/wordpress-performance-speed/
Posts
