.htaccess, the file which controls the Apache webserver behavior, is very useful and allows us to do a lot of things, mostly for security reasons. Now let’s see how these most popular .htaccess hacks can help us with our WordPress blog for security, functionality and usability.
Keep This in Mind
What we need to do is open the existing .htaccess file on your wordpress blog and paste the hack codes below OR create new .htaccess file if it does not exist. Upload to your site root and chmod it to 644 to protect it from malicious hacker types.
Be sure to keep the original working .htaccess as backup just in case you need to revert to original settings.
The Hacks
- Protect the .htaccess file itself
# protect the htaccess file <files .htaccess> order allow,deny deny from all </files>
- Protect the wpconfig.php file
# protect wpconfig.php <files wp-config.php> order allow,deny deny from all </files>
- Disable the Server Signature from showing
# disable the server signature ServerSignature Off
- Limit the File upload size
# limit file uploads to 10mb LimitRequestBody 10240000
- Blacklist undesired users and bots ip address
#who has access and who doesnt <Limit GET POST PUT> order allow,deny allow from all deny from 123.456.789 deny from 93.121.788 deny from 223.956.789 deny from 128.456.780 </LIMIT>
- Allow only your IP adress on the wp-admin directory
AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Example Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all allow from xx.xx.xx.xx </LIMIT>
Be sure to put your ip address on line xx.xx.xx.xx. You can allow more ip address by adding another ip address on next line.
- Redirect users to Custom Error page
#custom error docs ErrorDocument 404 /notfound.php ErrorDocument 403 /forbidden.php ErrorDocument 500 /error.php
- Prevent directory browsing
# disable/prevent directory browsing Options All –Indexes
- Redirect ‘Day & Name’ permalinks structure to new permalinks structure of /%postname%/ without losing any backlinks
The first thing to do is to login to your WordPress admin, go to Settings → Permalinks and select custom. Fill out the field with /%postname%/.
The permalinks will look like this one below:
http://www.yourblog.com/name-of-the-post
Now open .htaccess file or create new one if not exist. Paste this code inside it.
RedirectMatch 301 /([0-9]+)/([0-9]+)/([0-9]+)/(.*)$ http://www.domain.com/$4
Now you should have all backlinks with the new permalinks structure.
- Remove /category/ from WordPress url
Now what we want to do is to change
http://www.domain.com/blog/category/postname
to
http://www.domain.com/blog/postname
Just paste the code below onto the .htaccess file
RewriteRule ^category/(.+)$ http://www.yourblog.com/$1 [R=301,L]
- Redirect WordPress RSS feeds to feedburner with .htaccess
# temp redirect wordpress content feeds to feedburner
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds2.feedburner.com/catswhocode [R=302,NC,L]
</IfModule>
Do not forget to change the feedburner url to your own feedburner url.
- Block referring domains
For this example is digg. But who don’t want referal from Digg? 
This is just for example. You can put any domain name.
#block referring domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} digg.com [NC]
RewriteRule .* – [F]
- Disable hotlinking of images with forbidden or custom image option
RewriteEngine On
#Replace ?mysite.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+.)?mysite.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
- Setting canonical url manually using .htaccess
# set the canonical url
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain.com$ [NC]
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R=301,L]
- Deny comment posting to no referrer requests/ Protect from Spam Comments
There is also a way that you can protect comment or post spamming using .htaccess.
This code will look for the referrer (the page from where the commentator came from) and will deny commenting if the commentator tried to access the wp-comments-post.php file without directly coming from your blog.
Just change the line 4 and specify your blog url there.
# protect from spam or post comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
- Redirect visitors to a maintenance page
Replace maintenance.html (line 2) by the page you’d like to redirect your visitor and the IP adress on line 3 by your own ip.
Note that a 302 redirection is used, to avoid search engines indexing the maintenance page instead of your real homepage
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123.123.123.123
RewriteRule $ /maintenance.html [R=302,L]
- Compress static data
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4.0[678] no-gzip BrowserMatch bMSIE !no-gzip !gzip-only-text/html
- Forcing the use of browser cache
FileETag MTime Size <ifmodule mod_expires.c> <filesmatch ".(jpg|gif|png|css|js)$"> ExpiresActive on ExpiresDefault "access plus 1 year" </filesmatch> </ifmodule>
- Protect WordPress Blog From Script Injections
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
- Use .htaccess for php compression
You can try to use .htaccess to apply php compression, but use this code with caution at your own risk. It might not support your web settings etc.
# php compression – use with caution <ifmodule mod_php4.c> php_value zlib.output_compression 16386 </ifmodule>
- Limit the number of Simultaneous Connections
MaxClients < number-of-connections>
- Set the Time Zone of the Server
SetEnv TZ America/Indianapolis
What Else?
Refer to these sites for more informations:
