More
    Home Design / Dev 21 Most Popular .htaccess Hacks for WordPress

    21 Most Popular .htaccess Hacks for WordPress

    .htaccess, the file which controls the Apache webserver behavior, is very useful and allows us to do a lot of things, mostly for security reasons. Now let’s see how these most popular .htaccess hacks can help us with our WordPress blog for security, functionality and usability.

    Keep This in Mind

    What we need to do is open the existing .htaccess file on your wordpress blog and paste the hack codes below OR create new .htaccess file if it does not exist. Upload to your site root and chmod it to 644 to protect it from malicious hacker types.

    - Advertisement -

    Be sure to keep the original working .htaccess as backup just in case you need to revert to original settings.

    The Hacks

    • Protect the .htaccess file itself

    [sourcecode language=’php’]

    # protect the htaccess file

    order allow,deny
    deny from all

    - Advertisement -

    [/sourcecode]

    • Protect the wpconfig.php file

    [sourcecode language=’php’]

    # protect wpconfig.php

    order allow,deny
    deny from all

    [/sourcecode]

    • Disable the Server Signature from showing

    [sourcecode language=’php’]

    # disable the server signature
    ServerSignature Off

    [/sourcecode]

    • Limit the File upload size

    [sourcecode language=’php’]

    # limit file uploads to 10mb
    LimitRequestBody 10240000

    [/sourcecode]

    • Blacklist undesired users and bots ip address

    [sourcecode language=’php’]

    #who has access and who doesnt

    order allow,deny
    allow from all
    deny from 123.456.789
    deny from 93.121.788
    deny from 223.956.789
    deny from 128.456.780

    [/sourcecode]

    • Allow only your IP adress on the wp-admin directory

    [sourcecode language=’php’]

    AuthUserFile /dev/null
    AuthGroupFile /dev/null
    AuthName “Example Access Control”
    AuthType Basic

    order deny,allow
    deny from all
    allow from xx.xx.xx.xx

    [/sourcecode]

    Be sure to put your ip address on line xx.xx.xx.xx. You can allow more ip address by adding another ip address on next line.


    • Redirect users to Custom Error page

    [sourcecode language=’php’]

    #custom error docs
    ErrorDocument 404 /notfound.php
    ErrorDocument 403 /forbidden.php
    ErrorDocument 500 /error.php

    [/sourcecode]

    • Prevent directory browsing

    [sourcecode language=’php’]

    # disable/prevent directory browsing
    Options All –Indexes

    [/sourcecode]

    • Redirect ‘Day & Name’ permalinks structure to new permalinks structure of /%postname%/ without losing any backlinks

    The first thing to do is to login to your WordPress admin, go to Settings → Permalinks and select custom. Fill out the field with /%postname%/.

    The permalinks will look like this one below:

    http://www.yourblog.com/name-of-the-post

    Now open .htaccess file or create new one if not exist. Paste this code inside it.

    [sourcecode language=’php’]

    RedirectMatch 301 /([0-9]+)/([0-9]+)/([0-9]+)/(.*)$ http://www.domain.com/$4

    [/sourcecode]

    Now you should have all backlinks with the new permalinks structure.

    • Remove /category/ from WordPress url

    Now what we want to do is to change

    http://www.domain.com/blog/category/postname

    to

    http://www.domain.com/blog/postname

    Just paste the code below onto the .htaccess file

    [sourcecode language=’php’]

    RewriteRule ^category/(.+)$ http://www.yourblog.com/$1 [R=301,L]

    [/sourcecode]

    • Redirect WordPress RSS feeds to feedburner with .htaccess

    [sourcecode language=’php’]

    # temp redirect wordpress content feeds to feedburner

    RewriteEngine on
    RewriteCond %{HTTP_USER_AGENT} !FeedBurner    [NC]
    RewriteCond %{HTTP_USER_AGENT} !FeedValidator [NC]
    RewriteRule ^feed/?([_0-9a-z-]+)?/?$ http://feeds2.feedburner.com/catswhocode [R=302,NC,L]

    READ ALSO:  Adding Numbers to Wordpress Comments

    [/sourcecode]

    Do not forget to change the feedburner url to your own feedburner url.

    • Block referring domains

    For this example is digg. But who don’t want referal from Digg? 😀 This is just for example. You can put any domain name.

    [sourcecode language=’php’]

    #block referring domains
    RewriteEngine on
    RewriteCond %{HTTP_REFERER} digg\.com [NC]
    RewriteRule .* – [F]

    [/sourcecode]

    • Disable hotlinking of images with forbidden or custom image option

    [sourcecode language=’php’]

    RewriteEngine On
    #Replace ?mysite\.com/ with your blog url
    RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
    RewriteCond %{HTTP_REFERER} !^$
    #Replace /images/nohotlink.jpg with your “don’t hotlink” image url
    RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]

    [/sourcecode]

    • Setting canonical url manually using .htaccess

    [sourcecode language=’php’]

    # set the canonical url
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^yourdomain\.com$ [NC]
    RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R=301,L]

    [/sourcecode]

    • Deny comment posting to no referrer requests/ Protect from Spam Comments

    There is also a way that you can protect comment or post spamming using .htaccess.

    This code will look for the referrer (the page from where the commentator came from) and will deny commenting if the commentator tried to access the wp-comments-post.php file without directly coming from your blog.

    Just change the line 4 and specify your blog url there.

    [sourcecode language=’php’]# protect from spam or post comments
    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} POST
    RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
    RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
    RewriteCond %{HTTP_USER_AGENT} ^$

    RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L][/sourcecode]

    • Redirect visitors to a maintenance page

    Replace maintenance.html (line 2) by the page you’d like to redirect your visitor and the IP adress on line 3 by your own ip.

    Note that a 302 redirection is used, to avoid search engines indexing the maintenance page instead of your real homepage

    [sourcecode language=’php’]RewriteEngine on

    RewriteCond %{REQUEST_URI} !/maintenance.html$

    RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123

    RewriteRule $ /maintenance.html [R=302,L][/sourcecode]

    • Compress static data

    [sourcecode language=’php’]

    AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript
    BrowserMatch ^Mozilla/4 gzip-only-text/html
    BrowserMatch ^Mozilla/4.0[678] no-gzip
    BrowserMatch bMSIE !no-gzip !gzip-only-text/html

    [/sourcecode]

    • Forcing the use of browser cache

    [sourcecode language=’php’]

    FileETag MTime Size


    ExpiresActive on
    ExpiresDefault “access plus 1 year”

    [/sourcecode]

    • Protect WordPress Blog From Script Injections

    [sourcecode language=’php’]

    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    [/sourcecode]

    • Use .htaccess for php compression

    You can try to use .htaccess to apply php compression, but use this code with caution at your own risk. It might not support your web settings etc.

    [sourcecode language=’php’]

    # php compression – use with caution

    php_value zlib.output_compression 16386

    [/sourcecode]

    • Limit the number of Simultaneous Connections

    [sourcecode language=’php’]

    MaxClients < number-of-connections>

    [/sourcecode]

    • Set the Time Zone of the Server

    [sourcecode language=’php’]

    SetEnv TZ America/Indianapolis

    READ ALSO:  WordPress.com - Best Way to Start Your Blogging Career

    [/sourcecode]

    - Advertisement -
    Avatar
    WPTidBitshttps://wptidbits.com/
    Owner of WPTidBits. Totally in love with WordPress!

    18 COMMENTS

    1. I won’t be adding any of these to my htaccess file because I’m scared of wrecking my entire blog by doing something wrong.

      But they look like really good hacks and I’m sure more experienced users will find them incredibly helpful. 🙂

    2. I won’t be adding any of these to my htaccess file because I’m scared of wrecking my entire blog by doing something wrong.

      But they look like really good hacks and I’m sure more experienced users will find them incredibly helpful. 🙂

    3. Yeah. True. Not all of these are necessary. It depends. My site was once hacked. So i think this is the only effective way. Like i said it depends. 😀

    4. Yeah. True. Not all of these are necessary. It depends. My site was once hacked. So i think this is the only effective way. Like i said it depends. 😀

    5. But when I use the code for “Allow only your IP adress on the wp-admin directory” in my .htaccess file and uploaded into the server it blocks the main site also. But I need to blocked only the admin area, not the site. Please help.

    6. Are you using some kind of fixed ip or dynamic ip? I think you know the differences. Should you do some tests before applying. It did worked for me without any problem. If you have backup of your .htaccess, please revert it back. Just you need to consider before applying such extreme security measure. My suggestion is, use some kind of multifactor authentication like password + capctha code. One of example is SI CAPTCHA Anti-Spam that can protect login form.

    7. Blessings upon you!  I got the familiar weird admin panel today and implemented this immediately after doing all my background admin (change secret key, ftp, etc.)

      A couple of these I just pasted in but I “#” them out so I can figure out whether I want to use them later.

      Again, a million thanks!

    8. Thanks a lot, I`ve been hacked a couple of days ago, and wasn`t able to figure out what to do. Thanks man, you made my day. Happy new year!

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here

    110FansLike
    761FollowersFollow

    You May Also Like