.htaccess, the file which controls the Apache webserver behavior, is very useful and allows us to do a lot of things, mostly for security reasons. Now let’s see how these most popular .htaccess hacks can help us with our WordPress blog for security, functionality and usability.
Keep This in Mind
What we need to do is open the existing .htaccess file on your wordpress blog and paste the hack codes below OR create new .htaccess file if it does not exist. Upload to your site root and chmod it to 644 to protect it from malicious hacker types.
Be sure to keep the original working .htaccess as backup just in case you need to revert to original settings.
The Hacks
- Protect the .htaccess file itself
[sourcecode language=’php’]
# protect the htaccess file
order allow,deny
deny from all
[/sourcecode]
- Protect the wpconfig.php file
[sourcecode language=’php’]
# protect wpconfig.php
order allow,deny
deny from all
[/sourcecode]
- Disable the Server Signature from showing
[sourcecode language=’php’]
# disable the server signature
ServerSignature Off
[/sourcecode]
- Limit the File upload size
[sourcecode language=’php’]
# limit file uploads to 10mb
LimitRequestBody 10240000
[/sourcecode]
- Blacklist undesired users and bots ip address
[sourcecode language=’php’]
#who has access and who doesnt
order allow,deny
allow from all
deny from 123.456.789
deny from 93.121.788
deny from 223.956.789
deny from 128.456.780
[/sourcecode]
- Allow only your IP adress on the wp-admin directory
[sourcecode language=’php’]
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Example Access Control”
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xx
[/sourcecode]
Be sure to put your ip address on line xx.xx.xx.xx. You can allow more ip address by adding another ip address on next line.
- Redirect users to Custom Error page
[sourcecode language=’php’]
#custom error docs
ErrorDocument 404 /notfound.php
ErrorDocument 403 /forbidden.php
ErrorDocument 500 /error.php
[/sourcecode]
- Prevent directory browsing
[sourcecode language=’php’]
# disable/prevent directory browsing
Options All –Indexes
[/sourcecode]
- Redirect ‘Day & Name’ permalinks structure to new permalinks structure of /%postname%/ without losing any backlinks
The first thing to do is to login to your WordPress admin, go to Settings → Permalinks and select custom. Fill out the field with /%postname%/.
The permalinks will look like this one below:
http://www.yourblog.com/name-of-the-post
Now open .htaccess file or create new one if not exist. Paste this code inside it.
[sourcecode language=’php’]
RedirectMatch 301 /([0-9]+)/([0-9]+)/([0-9]+)/(.*)$ http://www.domain.com/$4
[/sourcecode]
Now you should have all backlinks with the new permalinks structure.
- Remove /category/ from WordPress url
Now what we want to do is to change
http://www.domain.com/blog/category/postname
to
http://www.domain.com/blog/postname
Just paste the code below onto the .htaccess file
[sourcecode language=’php’]
RewriteRule ^category/(.+)$ http://www.yourblog.com/$1 [R=301,L]
[/sourcecode]
- Redirect WordPress RSS feeds to feedburner with .htaccess
[sourcecode language=’php’]
# temp redirect wordpress content feeds to feedburner
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !FeedBurner   [NC]
RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds2.feedburner.com/catswhocode [R=302,NC,L]
[/sourcecode]
Do not forget to change the feedburner url to your own feedburner url.
- Block referring domains
For this example is digg. But who don’t want referal from Digg? 😀 This is just for example. You can put any domain name.
[sourcecode language=’php’]
#block referring domains
RewriteEngine on
RewriteCond %{HTTP_REFERER} digg\.com [NC]
RewriteRule .* – [F]
[/sourcecode]
- Disable hotlinking of images with forbidden or custom image option
[sourcecode language=’php’]
RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your “don’t hotlink” image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
[/sourcecode]
- Setting canonical url manually using .htaccess
[sourcecode language=’php’]
# set the canonical url
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com$ [NC]
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R=301,L]
[/sourcecode]
- Deny comment posting to no referrer requests/ Protect from Spam Comments
There is also a way that you can protect comment or post spamming using .htaccess.
This code will look for the referrer (the page from where the commentator came from) and will deny commenting if the commentator tried to access the wp-comments-post.php file without directly coming from your blog.
Just change the line 4 and specify your blog url there.
[sourcecode language=’php’]# protect from spam or post comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L][/sourcecode]
- Redirect visitors to a maintenance page
Replace maintenance.html (line 2) by the page you’d like to redirect your visitor and the IP adress on line 3 by your own ip.
Note that a 302 redirection is used, to avoid search engines indexing the maintenance page instead of your real homepage
[sourcecode language=’php’]RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L][/sourcecode]
- Compress static data
[sourcecode language=’php’]
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
[/sourcecode]
- Forcing the use of browser cache
[sourcecode language=’php’]
FileETag MTime Size
ExpiresActive on
ExpiresDefault “access plus 1 year”
[/sourcecode]
- Protect WordPress Blog From Script Injections
[sourcecode language=’php’]
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
[/sourcecode]
- Use .htaccess for php compression
You can try to use .htaccess to apply php compression, but use this code with caution at your own risk. It might not support your web settings etc.
[sourcecode language=’php’]
# php compression – use with caution
php_value zlib.output_compression 16386
[/sourcecode]
- Limit the number of Simultaneous Connections
[sourcecode language=’php’]
MaxClients < number-of-connections>
[/sourcecode]
- Set the Time Zone of the Server
[sourcecode language=’php’]
SetEnv TZ America/Indianapolis
[/sourcecode]
Nice Post.
These are some awesome hacks.
Thanks for sharing.
Keep up the good work.
Nice Post.
These are some awesome hacks.
Thanks for sharing.
Keep up the good work.
Thanks. Your site not bad too. We have the same niche. Do keep visiting again.
Thanks. Your site not bad too. We have the same niche. Do keep visiting again.
I won’t be adding any of these to my htaccess file because I’m scared of wrecking my entire blog by doing something wrong.
But they look like really good hacks and I’m sure more experienced users will find them incredibly helpful. 🙂
I won’t be adding any of these to my htaccess file because I’m scared of wrecking my entire blog by doing something wrong.
But they look like really good hacks and I’m sure more experienced users will find them incredibly helpful. 🙂
^^
Yeah Sure man. You’re really doing great Job here.
And thanks for your words.
^^
Yeah Sure man. You’re really doing great Job here.
And thanks for your words.
Yeah. True. Not all of these are necessary. It depends. My site was once hacked. So i think this is the only effective way. Like i said it depends. 😀
Yeah. True. Not all of these are necessary. It depends. My site was once hacked. So i think this is the only effective way. Like i said it depends. 😀
But when I use the code for “Allow only your IP adress on the wp-admin directory” in my .htaccess file and uploaded into the server it blocks the main site also. But I need to blocked only the admin area, not the site. Please help.
Are you using some kind of fixed ip or dynamic ip? I think you know the differences. Should you do some tests before applying. It did worked for me without any problem. If you have backup of your .htaccess, please revert it back. Just you need to consider before applying such extreme security measure. My suggestion is, use some kind of multifactor authentication like password + capctha code. One of example is SI CAPTCHA Anti-Spam that can protect login form.
How can i create a redirect 301 from /%postname%/ to /%category&/%postname%/ ?Â
Yes you can do using htaccess. But i am suggesting easier and safer way to do that by using plugins. See http://wordpress.org/extend/plugins/change-permalink-helper/ . It permanently use 301 redirect to move to new permalinks.
Thanks for these security ideas, will put them to good use. Andy
Blessings upon you! Â I got the familiar weird admin panel today and implemented this immediately after doing all my background admin (change secret key, ftp, etc.)
A couple of these I just pasted in but I “#” them out so I can figure out whether I want to use them later.
Again, a million thanks!
Try this.
Options +FollowSymlinks
RewriteEngine on
rewriterule ^category/blog/beach/america(.*)$ http://www.yoursite.com/america$1 [r=301,nc]
Thanks a lot, I`ve been hacked a couple of days ago, and wasn`t able to figure out what to do. Thanks man, you made my day. Happy new year!